| Pages: [1] 2 3 4 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
|
Chribba
Otherworld Enterprises
Otherworld Empire
   |
Posted - 2007.01.03 15:54:00 -
[1]
For the past days I've been fighting Chinese spam-networks with temporary success.
Bots roaming through links in search for email addresses to abuse have been hitting EVE-Files hard in the past days, and for some reason they seem to have trouble with movie files - and as you know EVE-Files contains LOTS of movies.
The result is that the bots keep requesting the movies over and over again taking up massive amounts of resources. Until a few days ago I've been limiting the amount of multiple connections to EVE-Files at a hard 5,000. Once the bots start making requests this limit was reached within minutes causing all other requests to be denied (some of you may have noticed unusual errors when trying to connect).
I then decided to increase the limit by the double, a normal day there is usually 1,500-2,000 simultaneous connections, so 5,000 should have been enough easily. Earlier today the new limit of 10,000 wasn't enough. Aprox 8,500 of these connections belonged to around 10-12 different IP's - sure my Veldspar movies are popular... but not that popular. 
So, before taking the decision to block out a major part of all China IP's I am doing some changes to EVE-Files requests, this will have a negative impact to some users and for that I am sorry but this is getting out of hand and I chose to do this way before it is too late and hope that it works out for the better.
Many of these bots strange as it might be are using Norton Internet Security Personal Firewall. As I've been watching these bots connected and keeping an eye on their activity I've noticed that they keep sending "Weferer" headers rather than "Referer" ones.
Some quick Googling on the subject reveals the following:
Leon Degeling of www.consumentenbond.nl emailed me to let me know what
it was - its caused by the Norton Internet Security personal firewall,
which creates it as part of its referer mangling process.
So, phase one is that I've simply blocked all requests using "Weferer" headers. So for those of you who use NISPF you may get blocked too, my suggestion is that you switch fw  or at least see if there is any way of not modifying "Referer" headers (I have no clue if this is possible or not).
Depending on how this turns out will aid me in future steps, unfortunately blocking the major parts of China's IP-ranges may become a reality.
Sorry for any trouble this may cause you. But feel free to whine as that would get me an indication on how many non-spammers I affect with this change.
/c
EVE-Files | EVE-Search | Monitor this Thread |
|
Jim McGregor
|
Posted - 2007.01.03 15:56:00 -
[2]
Edited by: Jim McGregor on 03/01/2007 16:00:28
Isnt it better to just block their IP range? 10-12 different IP's doesnt sound that much.
---
Eve Wiki | Eve Tribune | Eve Pirate |
Rakeris
Legio VIII
|
Posted - 2007.01.03 16:01:00 -
[3]
I say just block the IP range. :p
But a better question may be, why are they doing it? 0.o
----------
I gave up on sigs. As all the beatings are starting to hurt and leave nasty bruises. |
Trek
Minmatar
N.A.G.A Corporation
|
Posted - 2007.01.03 16:03:00 -
[4]
How about using a pf firewall or similar and block the ip adress once it has made x connection attempts in the last 10 minutes or something? Suitable numbers would be up to you to calculate since you know more than anyone about the usage statistics. 
I use this on my own network since I got sick of having hundreds, sometimes thousands, of failed ssh login attempts every day in my security logs.
(oh and greetings from an old corpmate!)
---
My other ship is a Reaper
|
Smagd
Encina Technologies
Namtz'aar k'in
|
Posted - 2007.01.03 16:04:00 -
[5]
Or limit their bandwidth (a.k.a. tarpitting). They'll take 2 weeks to download the first few movies and their own open connection limit will run out.
--
|
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.03 16:05:00 -
[6]
 Originally by: Jim McGregor
Edited by: Jim McGregor on 03/01/2007 16:00:28
Isnt it better to just block their IP range? 10-12 different IP's doesnt sound that much.
The 8,500 connections today was from 10-12 different, I have about 250 Chinese spam IP's blocked, they reside in huge IP-ranges among normal DSL customers, so I block them now and in 2 hours they've switched IP's and come back. So the only way for me to block them would be to block the entire subnets, we're talking multiple B-range networks here.
For example, one network would be 222.16.0.0-222.95.255.255, that's 5,136,975 IP's on that range. Then add a few more of those and I've blocked a larger part of China.
EVE-Files | EVE-Search | Monitor this Thread |
|
Beef Hardslab
The 5 Amigo's LLC.
|
Posted - 2007.01.03 16:05:00 -
[7]
Originally by: Rakeris
I say just block the IP range. :p
But a better question may be, why are they doing it? 0.o
Haven't you heard? Chribba is the King of Veldspar, and it's obvious to me that they seek to undermine his throne and pilfer all his master techniques.
/me waits for the fleet of Dread mining bots
|
Illegal
KDM Corp
Firmus Ixion
|
Posted - 2007.01.03 16:06:00 -
[8]
Originally by: Chribba
Bots roaming through links in search for email addresses to abuse have been hitting EVE-Files hard in the past days, and for some reason they seem to have trouble with movie files - and as you know EVE-Files contains LOTS of movies.
^^ Thats why.
--
|
Jim McGregor
|
Posted - 2007.01.03 16:10:00 -
[9]
Originally by: Chribba
Originally by: Jim McGregor
Edited by: Jim McGregor on 03/01/2007 16:00:28
Isnt it better to just block their IP range? 10-12 different IP's doesnt sound that much.
The 8,500 connections today was from 10-12 different, I have about 250 Chinese spam IP's blocked, they reside in huge IP-ranges among normal DSL customers, so I block them now and in 2 hours they've switched IP's and come back. So the only way for me to block them would be to block the entire subnets, we're talking multiple B-range networks here.
For example, one network would be 222.16.0.0-222.95.255.255, that's 5,136,975 IP's on that range. Then add a few more of those and I've blocked a larger part of China.
You are right, that sounds like a bad solution...
How about forcing people to register? At least then you can disallow downloads from anyone not registered, and also block accounts that take too much bandwidth (maybe automatically too).
---
Eve Wiki | Eve Tribune | Eve Pirate |
Verus Potestas
Caldari
The I-Win Button
|
Posted - 2007.01.03 16:10:00 -
[10]
Originally by: Jim McGregor
Isnt it better to just block their IP range? 10-12 different IP's doesnt sound that much.
You'd be surprised. If it's subnets rather than IPs, it could be hundreds of thousands of connections. Even if it's just IPs, there are single IPs used by over a million people...
---
In third-party forums we trust
Did i ask for anyone to copy this into their sig? No, ****heads, its my text, not yours.
|
|
|
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.03 16:11:00 -
[11]
Edited by: Chribba on 03/01/2007 16:14:37
Originally by: Trek
How about using a pf firewall or similar and block the ip adress once it has made x connection attempts in the last 10 minutes or something? Suitable numbers would be up to you to calculate since you know more than anyone about the usage statistics.
I use this on my own network since I got sick of having hundreds, sometimes thousands, of failed ssh login attempts every day in my security logs.
(oh and greetings from an old corpmate!)
Originally by: Smagd
Or limit their bandwidth (a.k.a. tarpitting). They'll take 2 weeks to download the first few movies and their own open connection limit will run out.
Only thing stopping me from using additional PF or tarpits is the current setup as I would have to modify the network, servers rather than running on how it is set up now - which is not my most wanted thing to change, but both ways are suitable.
As for what they want... My guess is that they are email harvesters as I find their IP's being blocked in common mail block-lists as well. But they most likely screw up when trying to get a movie. Once they get redirected to my "blocked" page, the requests stop until a new bot comes back.
Originally by: Jim McGregor
How about forcing people to register? At least then you can disallow downloads from anyone not registered, and also block accounts that take too much bandwidth (maybe automatically too).
These bots requests files right off links (could be your signature image, your linkage to your latest screenshot or movie), so registering would only make things even worse as then EVERYONE would have to like "sign in" to see Mr Alt's signature on his EVE-O post.
And I really don't want to block someone's account just because of bots, imagine you relase a video - your enemies starts to mass download it, I block your account since it uses too much bw = everyone else sad coz they can't see your video or your signature.
EVE-Files | EVE-Search | Monitor this Thread |
|
Verus Potestas
Caldari
The I-Win Button
|
Posted - 2007.01.03 16:13:00 -
[12]
Are you sure it's harvesting, rather than deliberate DOS attacks? I'm willing to bet you've been contacted by several people in China asking for advertising space on Eve-files, some of whom might be offended by your rejections...
---
In third-party forums we trust
Did i ask for anyone to copy this into their sig? No, ****heads, its my text, not yours.
|
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.03 16:19:00 -
[13]
Originally by: Verus Potestas
Are you sure it's harvesting, rather than deliberate DOS attacks? I'm willing to bet you've been contacted by several people in China asking for advertising space on Eve-files, some of whom might be offended by your rejections...
They looks pretty 'bot'-ish in my eyes, the requests are fairly common/new movies, those referers that does come through are from like bbs.eve-china.com and newly posted topics there with most likely normal linkage of user videos. So targetted attack, doubt it.
EVE-Files | EVE-Search | Monitor this Thread |
|
Makree
Ubar Asteroid Hugging Collective
|
Posted - 2007.01.03 16:19:00 -
[14]
Personally I would block the whole of the APNIC address space. But then you would the Aussies moaning.
Are the abusive IPs in the XBL?
If so can you look this up before blocking?
|
Verus Potestas
Caldari
The I-Win Button
|
Posted - 2007.01.03 16:21:00 -
[15]
Originally by: Makree
Personally I would block the whole of the APNIC address space. But then you would the Aussies moaning.
That's really fair. 12 bots get half the interblag blocked?
---
In third-party forums we trust
Did i ask for anyone to copy this into their sig? No, ****heads, its my text, not yours.
|
Trek
Minmatar
N.A.G.A Corporation
|
Posted - 2007.01.03 16:22:00 -
[16]
Originally by: Chribba
Only thing stopping me from using additional PF or tarpits is the current setup as I would have to modify the network, servers rather than running on how it is set up now - which is not my most wanted thing to change, but both ways are suitable.
Since I don't know anything about how your stuff is set up this might be a shot in the dark... But how about setting up a transparent ethernet bridge and then use pf on the bridge to limit the connections one way or another. Using a transparent bridge should make your network seem unchanged both from the outside and from the inside.
---
My other ship is a Reaper
|
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.03 16:23:00 -
[17]
Originally by: Makree
Personally I would block the whole of the APNIC address space. But then you would the Aussies moaning.
Are the abusive IPs in the XBL?
If so can you look this up before blocking?
That would be my last option tbh but indeed it would solve the problems
Some of the IP's are found in various BL's yes. I don't have time nor interest to check up on each one though, and no way of doing this per auto, unless you all want to spend some 20 sec extra before loading any file just because I have to do an IP-check on you - super last option lol
EVE-Files | EVE-Search | Monitor this Thread |
|
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.03 16:27:00 -
[18]
Originally by: Verus Potestas
Originally by: Makree
Personally I would block the whole of the APNIC address space. But then you would the Aussies moaning.
That's really fair. 12 bots get half the interblag blocked?
It was 12 today, as I said they change IP and come back. If it had been just the 12 I'd drop only those and we're good. But they switch and come back.
Originally by: Trek
Edited by: Trek on 03/01/2007 16:23:35
Originally by: Chribba
Only thing stopping me from using additional PF or tarpits is the current setup as I would have to modify the network, servers rather than running on how it is set up now - which is not my most wanted thing to change, but both ways are suitable.
Since I don't know anything about how your stuff is set up this might be a shot in the dark... But how about setting up a transparent ethernet bridge and then use pf on the bridge to limit the connections one way or another. Using a transparent bridge should make your network seem unchanged both from the outside and from the inside. Hopefully you wouldn't have to change any other stuff then!
Yeah that's what I most likely would do, but get some new hardware for the bridge first = money = Not first option.
Other options would be to block certain referers as well.
EVE-Files | EVE-Search | Monitor this Thread |
|
Verus Potestas
Caldari
The I-Win Button
|
Posted - 2007.01.03 16:28:00 -
[19]
Originally by: Chribba
Originally by: Verus Potestas
Originally by: Makree
Personally I would block the whole of the APNIC address space. But then you would the Aussies moaning.
That's really fair. 12 bots get half the interblag blocked?
It was 12 today, as I said they change IP and come back. If it had been just the 12 I'd drop only those and we're good. But they switch and come back.
12 bots, not 12 IPs 
---
In third-party forums we trust
Did i ask for anyone to copy this into their sig? No, ****heads, its my text, not yours.
|
Tara Konsidor
|
Posted - 2007.01.03 17:09:00 -
[20]
you could define rate limits like 20 simultanous open connections/ip
unfortunately I've no idea how to do that under win2k3 server 
|
|
|
NebulousBlur
Minmatar
Unknown Shoe Corp.
SMASH Alliance
|
Posted - 2007.01.03 17:17:00 -
[21]
Would you be able to implement any sort of CAPTCHA for files over a given size?
Maybe a custom version of kitten auth with different roid/mineral types :D
http://www.kittenauth.com/
|
Turix
Interstellar eXodus
R0ADKILL
|
Posted - 2007.01.03 17:21:00 -
[22]
Maybe input some kind of alphanumerical verification on larger files or certain ip ranges - im sure some people wouldnt mind putting 4 random no/letters in if it helps fix the server.
|
Randay
0utbreak
|
Posted - 2007.01.03 17:33:00 -
[23]
is that why im getting emails for viagla?
|
Verus Potestas
Caldari
The I-Win Button
|
Posted - 2007.01.03 17:37:00 -
[24]
Originally by: Randay
is that why im getting emails for viagla?
I'm so ronery 
---
In third-party forums we trust
Did i ask for anyone to copy this into their sig? No, ****heads, its my text, not yours.
|
Yarek Balear
The Initiative
|
Posted - 2007.01.03 17:41:00 -
[25]
Originally by: Randay
is that why im getting emails for viagla?
You're supposed to swallow them, not leave them sitting on your tongue making that hard !!!
|
Montaire
Lacedaemon.
Sparta Alliance
|
Posted - 2007.01.03 17:44:00 -
[26]
I deal with crap like this on a professional level. Do you want to get together (voice/video/whatever conference) and see if maybe we can apply some industrial strength solutions ?
|
SasRipper
DIE WITH HONOUR
|
Posted - 2007.01.03 18:19:00 -
[27]
Just block china
Is there really that many chinse legimate users?
They have there own sever let them get there own eve-files if they are going to abuse yours.
|- Insert witty sig here -|
Save Radar Scanner Man!
|
Khnaedra D'Val
Black Knight Buccaneers
Center for Disease Creation
|
Posted - 2007.01.03 18:33:00 -
[28]
I'd have to say going with half-hearted measures would equate to fighting a losing battle, but if you can clamp down on all the bot-connections without having to block out entire subnets, that's probably going to make it easier to avoid blocking genuine requests.
However, one of the forums I help to run has 10 class-A subnets blocked; not counting network/broadcast addresses, that's 42,949,672,960 IP addresses that cannot access them (it was a ridiculous amount more work to remove all the spam posts from one-post members we were noticing popping up far too regularly, from various parts of Asia and South America).
Best of luck finding a solution that stops them connecting to what is an extremely valuable tool for EvE!
|
Agent Lemming
|
Posted - 2007.01.03 18:48:00 -
[29]
Originally by: Chribba
Originally by: Jim McGregor
How about forcing people to register? At least then you can disallow downloads from anyone not registered, and also block accounts that take too much bandwidth (maybe automatically too).
These bots requests files right off links (could be your signature image, your linkage to your latest screenshot or movie), so registering would only make things even worse as then EVERYONE would have to like "sign in" to see Mr Alt's signature on his EVE-O post.
No idea if this would work or not, but would it be possible to have selective requirements for registering, ie something along the lines of movie files, or files above a certain size, need registering before they can be viewed?
|
Gone'Postal
Minmatar
LuthorCorp Combat Division
|
Posted - 2007.01.03 18:49:00 -
[30]
Chribba, why not just make it per user account. Give everyone a set number of MB, if they require more then they have to E-mail one of the players you have givin rights to, Maybe head of alliances should have a unlimited account however thats IP locked to stop them giving it out, if there IP changes they have to E-mail you to request there change to there account.
even if it won't help with this matter it should cut down on the ammout of files you have to look at each day to keep the server nice and clean.
Known Issues & Workarounds - The forum to fix the issues of Eve... Godhelp us if the Devs start trying to. |
|
|
|
|
| |
|
| Pages: [1] 2 3 4 :: one page |
| First page | Previous page | Next page | Last page |