[ahimsa-tech] [Fwd: Re: [Fwd: re: Re: access list blocking]]

[jeff moe]

FYI.  In sum, the server isn't being hit by zombies, the server isn't rooted, 
but it's being overwhelmed due to bittorrent's newish "trackerless" feature 
because of the fact that the server is a well-connected box.

Thanks alster! :)

-Jeff

-------- Original Message --------
Subject: Re: [Fwd: re: Re: access list blocking]
Date: Sat, 21 Oct 2006 02:45:14 +0200
From: Alster <alster at indymedia.org>
To: jeff moe <jeff at indymedia.org>
References: <45395188.5070402 at indymedia.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I checked these 47 source IP addresses against the following DNS blacklists:

sbl-xbl.spamhaus.org  - known spam bizs, sources using common attacks
list.dsbl.org         - open (spam) email relays
tor.ahbl.org          - TOR exit nodes
ircbl.ahbl.org        - IRC drones, open proxies
dynablock.njabl.org   - dynamically assigned IP addresses

Results:

59.42.128.73 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=59.42.128.73
60.171.106.247 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
61.231.228.3 RBL filtered by dynablock.njabl.org: Dynamic/Residential IP
range listed by NJABL dynablock - http://njabl.org/dynablock.html
71.97.6.78 RBL filtered by dynablock.njabl.org: Dynamic/Residential IP
range listed by NJABL dynablock - http://njabl.org/dynablock.html
80.222.176.244 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
82.83.35.9 RBL filtered by dynablock.njabl.org: Dynamic/Residential IP
range listed by NJABL dynablock - http://njabl.org/dynablock.html
88.0.210.78 RBL filtered by dynablock.njabl.org: Dynamic/Residential IP
range listed by NJABL dynablock - http://njabl.org/dynablock.html
129.44.180.167 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
196.40.10.254 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=196.40.10.254
217.164.203.171 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
218.108.75.28 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
218.111.31.152 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=218.111.31.152
218.111.31.152 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
218.254.23.208 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
218.4.253.62 RBL filtered by dynablock.njabl.org: Dynamic/Residential IP
range listed by NJABL dynablock - http://njabl.org/dynablock.html
218.68.17.104 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?218.68.17.104
218.81.207.198 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
219.140.231.180 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=219.140.231.180
219.140.231.180 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?219.140.231.180
219.140.231.180 RBL filtered by ircbl.ahbl.org: Open Proxy -
http://www.ahbl.org/tools/lookup.php?ip=219.140.231.180
219.140.231.180 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
219.144.140.185 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?219.144.140.185
219.95.241.37 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?219.95.241.37
219.95.241.37 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
220.132.100.179 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
220.134.14.104 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
221.195.196.160 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=221.195.196.160
221.195.196.160 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?221.195.196.160
221.195.196.160 RBL filtered by ircbl.ahbl.org: Open Proxy -
http://www.ahbl.org/tools/lookup.php?ip=221.195.196.160
221.5.190.252 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=221.5.190.252
221.5.190.252 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?221.5.190.252
221.5.190.252 RBL filtered by ircbl.ahbl.org: Open Proxy -
http://www.ahbl.org/tools/lookup.php?ip=221.5.190.252
222.85.60.212 RBL filtered by dynablock.njabl.org: Dynamic/Residential
IP range listed by NJABL dynablock - http://njabl.org/dynablock.html


So 18 IPs were detected as being dynamically assigned ones, which means
all other reports for these IPs are useless. So what's left?


59.42.128.73 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=59.42.128.73

196.40.10.254 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=196.40.10.254

218.68.17.104 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?218.68.17.104

219.144.140.185 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?219.144.140.185

221.195.196.160 RBL filtered by sbl-xbl.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=221.195.196.160
221.195.196.160 RBL filtered by list.dsbl.org:
http://dsbl.org/listing?221.195.196.160
221.195.196.160 RBL filtered by ircbl.ahbl.org: Open Proxy -
http://www.ahbl.org/tools/lookup.php?ip=221.195.196.160

So 5 of the 47 addresses (9,4%) may be one of this: open proxies,
compromised systems, exploit/common attack sources. Which isn't too special.

However, DHT should explain the traffic.
http://www.google.com/codesearch?q=6881+UDP
http://www.zeropaid.com/bbs/problems-questions/t-azureus-udp-6881-what-do-i-do-to-open-this-port-28887.html
http://forum.pcmech.com/showthread.php?t=141783
http://en.wikipedia.org/wiki/Distributed_hash_table
http://www.bittorrent.org/Draft_DHT_protocol.html#BitTorrent_Protocol_Extension

I suggest you determine a way to deactivate DHT support in the
bittorrent software you use. It may also help to move the first TCP port
to 6882 or higher and to make sure you don't have too many concurrent
client connections. If the software doesn't provide an option for this,
and you cannot/do not want to firewall, raising the lowest TCP listening
port closer to 7000 (6999 is the maximum) should work as the difference
between 6999 and the lowest bittorrent communication port you have set
effectively defines the number of connections you can have.

Alster
- --
GPG key
http://keys.indymedia.org/cgi-bin/lookup?op=get&search=05059C17
Fingerprint    1B8B 128F 8435 541C B3A5 1B7E CF5A 9D55 0505 9C17
All other      http://docs.indymedia.org/view/Main/AlsteR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFOW2az1qdVQUFnBcRAqNbAKCK5MtSUL3eoK95latZIczdaXOSOACcCZRv
R5sUhA1+ApuYlqhJ0PHAEJ4=
=fwxo
-----END PGP SIGNATURE-----