republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Probing for open proxies with CONNECT > Seeing similar probes

Search Topic:
 Uniqs:
146		 Share Topic
Post a:
Post a:
AuthorAll Replies


state
stress magnet
Premium,Mod
join:2002-02-08
Purgatory
kudos:6
Host:
Webhosting
Android
Sonic.net
Washington & Balti..
UK Chat

Seeing similar probes

I started seeing something similar a few days ago, but hadn't had a chance to really dig into it - it was more of a nuisance than anything else since 404s were being returned to the requester:

"GET http://mail2.663.com.cn/include/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=C690597E4C4742D24207D2D400500D1C8CD549FEF8BD HTTP/1.0"

The logs show somewhere in the neighborhood of 40-50 entries per day from this particular IP address, sequentially walking the IPs that were assigned to the machine - each GET request with it's own unique hash.

After adding a rule to iptables I saw it send a dozen or so ping packets to see if the host was up:

... kernel: MAIL_RLY_TST : IN=eth0 ... SRC=222.216.28.135 ... PROTO=ICMP TYPE=0 CODE=0 ID=53782 SEQ=7 
... kernel: MAIL_RLY_TST : IN=eth0 ... SRC=222.216.28.135 ... PROTO=ICMP TYPE=0 CODE=0 ID=53782 SEQ=8

And then nothing. So far. With so many script kiddies running what would appear to be "out-of-the-box" scripts against large netblocks, it sometimes makes me wonder if I should follow in the footsteps of CNN and the like and simply discard inbound ICMP requests..
to forum · permalink · 2007-10-23 23:50:26 ·

mikenolan7
Premium
join:2005-06-07
Torrance, CA

Think twice before dropping traffic. I'm just a home user, but I have a pretty good-sized network I experiment with here (15 machines +/-). I run zero externally accessible services, but I'm on a cable modem and live in LA. The number of attacks is hard to believe (I average anywhere between one every 3 to 10 seconds). I used to just drop it all, but I found when I rejected everything instead, the number of attacks dropped by about 70%. I run strict rate limits on the rejections so no one can get much benefit from using my address as part of a reverse DDOS, but I haven't seen that even tried, yet (using my address anyway).

The only explanation I can come up with is that the automated attacks move on when they get a rejection, but try a few more times if nothing comes back - possibly hoping that the lack of a rejection indicates other "misconfigurations". RoadRunners arp blasters pretty much tell anyone with a clue what IP's are in use at any time.

to forum · permalink · 2007-11-07 15:02:41 ·
Forums > Probing for open proxies with CONNECT

Monday, 04-Jun 10:29:26 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics