1. Your DNS cache is part of your PC’s networking software. Your web browser will ask the TCP networking library (WinSock in Windows, Berkeley Sockets if you use Linux or a Mac) to “Open up a (TCP socket) connection to glastonbury.seetickets.com which will be listening on port 80″, and as far as it knows it’s got a connection to the website that it can read stuff from and write stuff to. Behind the scenes what will actually happen is WinSock will look in the DNS cache for glastonbury.seetickets.com and if it isn’t listed, or the listing is out of date, it will send a packet of information (a special IP packet on UDP port 53) to one of your internet service provider’s DNS servers (well, usually your router’s DNS server, which will ask your ISP’s DNS servers). This request will go from parent to child, from .com to ask for seetickets, to seetickets to ask for glastonbury, and eventually a DNS response packet will be relayed back to your machine. This response contains the location of the server on the network (its IP address) and the amount of time the address is valid for (the TTL; time to live), and this is saved to your DNS cache so you don’t have to ask for it again next time.

Internet Protocol (IP) is basic delivery service that routes individual parcels of data (packets) between computers. It doesn’t have any concept of which packet is supposed to come first or which program wanted it, packets aren’t even guaranteed to arrive because they could get lost. This is where Transmission Control Protocol (TCP) comes in. TCP sockets are like a two-way conversation that’s built on top of this delivery network, inside the packets we have information like “this is the 5th packet of information”, “this is a delivery receipt for everything up to packet 58″, “hello? are you still there?”, but to a program like a web browser it looks like a solid pipe that can send and receive information.

So to download a web page your browser has to open a TCP socket. This starts off with a “handshake” where the connector says “let’s talk” (SYN), the listener replies with “hey, I’m listening, did you really ask me to talk?” (ACK) and the connector says “yep that was me” (SYN-ACK).

Okay, that’s enough background so you’ll understand my answer to your second question…

2. They told seetickets.com’s DNS servers to return the correct IP address for glastonbury.seetickets.com randomly, to lucky winners, so most people were given the wrong directions. The address they’re given is a special address which isn’t on the public Internet, it’s on your own home network so your SYN “let’s talk” packets don’t even get a chance to clog up their pipes! So WinSock is sat around waiting for an ACKnowledgement and your browser is sat there waiting to connect until it gets bored and decides nobody’s home, the SYN packet never arrived because it was sent to the wrong place.

Because they set the expiry time to 60 seconds plus each time you move forward a page your browser makes a fresh connection to the site, if 60 seconds have passed you will request a new IP address and probably be given the wrong one. So unless you’re a quick typist you’d have to “win” the right IP address multiple times to get through.

The whole reason for this is because they have two weedy computers on a crummy network and wanted to serve hundreds of thousands of people, so they had to do some dirty trick to make sure everyone didn’t flood them, but they made a bad decision.

3. Finding the proper IP is pretty simple, the clever part is figuring out that they gave you a bad address in the first place. Much to my shame I didn’t actually figure it out myself because I was in buying frenzy mode. To figure it out you’d need to record the network with a tool like Wireshark, to read the trace and realise that the IP address is wrong. You’d need a keen eye to spot that. Comparing a connection that fails with one that works will give you the correct IP address too, much easier.

When the first server had crashed I found the second server by doing some Internet sleuthing, there are websites which record the IP addresses that have been used with different domain names and See had leaked this information (LOL). I was also extra cheeky towards the end, I guessed that their “www” server would be running the same software and put its IP address in my hosts file and managed to get to the booking page, but tickets had run out by then.

If you’re really interested in this stuff I recommend reading up on the OSI Network Model and the Internet Protocol Suite, have a mess around with Wireshark and do a bit of network programming if you’re into that sort of thing. Also learn the basic command line tools and where your network settings are and what they all mean.

[WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.

Glastonbury announced that they’d sold half the tickets, then 20 minutes later (after the host-file change went public) they sold out. By my reckoning that’s somewhere between 60,000 and 70,000 tickets in 20 minutes.