Wednesday, November 20, 2013

Finally solved my Wii-U eShop error issue!

We've been trying to purchase the Pikmin 3 DLC for the last week or so. Everytime we get through about half way through the eShop purchase, the eShop app gets an error code (useless!) and exits.  Sometimes we get further than other times, and once it fails, it seems to fail faster.

Using the Nintendo Wii-U eShop seems to be a common problem found on the Nintendo forums. Originally it was an issue with the Wifi reception. But there still seems to be a few cases here and there, and we use a wired connection. I was stumped. It didn't seem to matter what time of day either.

So today I was looking at my firewall logs and noticed:
[4582372.494624] iptables drop ratelimit: 
IN=eth0 OUT= MAC=... SRC= DST=... LEN=93 TOS=0x00 PREC=0x20 
TTL=59 ID=27348 DF PROTO=TCP SPT=443 DPT=4040 WINDOW=18666 RES=0x00 ACK PSH URGP=0 
A lot of those.  That's weird.  That IP is an akamai address.  And I seem to get a lot from them from akamai's port 443 to a random port on my system.

Akamai says:
Our firewall has detected that Akamai-controlled IP addresses are attempting to access our IP address via a number of different ports. This seems to be an attack. What is going on? 

The messages you see indicate that users behind your firewall are running the Akamai NetSession Interface. The Akamai NetSession Interface is a download manager client that is used on behalf of an Akamai customer to download software or other digital content. The Akamai NetSession Interface uses both TCP and UDP based protocols to download content and facilitate connectivity through network devices such as proxies, firewalls & NAT (network address translation) devices.
Huh! I wonder if Nintendo is using a similar download manager protocol in the eShop for the interface.  Or maybe I have downloads downloading in the background that is triggering a firewall rule.

Now about that rule -- the rule I have is that if you send me enough packets that I decide to drop, I blacklist the IP:
-A INPUT_FORWARD_FW -i eth0 -j DROP -m recent --set --name badguys     
 Combined with the following to just drop all of their packets:
-A INPUT_FORWARD_FW -i eth0 -m recent --rttl --name badguys --update --seconds 60 -j DROP        
Once I removed the first rule, I was immediately able to complete an eShop transaction.

So I wonder how many people out there who are having trouble with the eShop are having trouble from smart firewall routers (mine is Linux) that blacklist IP addresses if they try to contact blocked ports too often.

...And tomorrow we shall try out the new Pikmin levels!  :)