Article

2021-03-11 Cyber

When you know something you posted might have upset China.

[DoS attack: ACK Scan] attack packets from ip [221.8.65.18#],
...
Repeated 57 times for 20 seconds each over 4 Hours and 16 mins.
China Unicom Jilin Province Network
Changchun, Jilin

Considering the Big Names, cryptocurrency attacks and more that this IP has attacked, hacked and/or blocked over the last few years. I feel "IP" Privileged.

Posted by NN2N1 2021-03-11 04:59|| || Front Page|| [11133 views ] Top
File under: Commies

#1 Im pleading stupid here, are you saying Rantburg has had those Denial of Service attacks by China, or am I missing something?

Posted by NoMoreBS 2021-03-11 11:24|| 2021-03-11 11:24|| Front Page Top

#2 That was my site (NN2N1) on typical week...
Then several storms on 1 day this week.

I am sure Rantburg is a much bigger and more frequent target.

Posted by NN2N1 2021-03-11 11:37|| 2021-03-11 11:37|| Front Page Top

#3 Got it, and thanks, drawing their ire is always a sure sign of doing something right!

Posted by NoMoreBS 2021-03-11 11:51|| 2021-03-11 11:51|| Front Page Top

#4 When I was a web master I used to see this kind of thing all the time in my logs. I found that there are web sites where you can plug in an IP address and find information about it. According to DBIP IP geolocation API
and database web site: 221.8.65.18 or 18.65.8.221.adsl-pool.jlccptt.net.cn is an IPv4 address owned by CNC Group CHINA169 Jilin Province Network and located in Haidian (Haidian Qu), China.

I developed a PERL script that would place such IP addresses into an IPTABLES database so they would be denied any further access to my server. The script had a little database of its own that included the kind of queries that would come from places like China. Whenever there was a "404 Not Found" error the script would be triggered and search for a match between the 404 query and the database. When a match was found, the offending IP address would be automatically added to the IPTABLES database. Eventually I found that I could enter a range of IP addresses into IPTABLES and block entire nations from access to my server. If I could do that, the government could certainly erect a fire wall that would block all internet traffic from countries like China. The fact that our government allows this criminal activity to continue is a dereliction of duty to say the least. Of course, well all know why they don't.

Posted by Abu Uluque 2021-03-11 12:59|| 2021-03-11 12:59|| Front Page Top

#5
Abu Uluque:
Is your script PD or shareware?

Posted by NN2N1 2021-03-11 13:31|| 2021-03-11 13:31|| Front Page Top

#6 I never saved a copy of the script for myself. I left it on the server when I retired. It wasn't terribly difficult to do though. I kind of did it in my spare time at work. If you know PERL and you're familiar with Apache web server software running on LINUX it should be easy to duplicate. The apache config file allows you to designate a cgi-bin executable to handle 404 errors. In my script, I would check the 404 query by looping through an array of character stings like "php". I didn't have php on my server because I knew it was notorious for vulnerabilities so if somebody was looking for php on my server I figured they were prodding for vulnerabilities they could exploit to hack my server. There were all kinds of strings like that and when I found them I put the IP addresses into IPTABLES so they would be automatically and immediately denied any further access to the server. They didn't even get the 404 error message. It was fairly effective. It sure cleaned up my log files. I only got one or two complaints from people who were legitimate being denied access and that was because their Microsoft Internet Explorer browser was looking for FrontPage. I figured they deserved it just for using such a crippled browser.

Posted by Abu Uluque 2021-03-11 14:48|| 2021-03-11 14:48|| Front Page Top