Special report on IP blocking management – 2014-09

Blocked IP Addresses

When I (1) have seen an exceptional amount of traffic in one month from a single IP, and especially if the page requests are suspicious (such as strings of random characters), I have googled the IP and checked the results for reports of suspicious behavior (known attacks, malicious behavior, etc). Based on those results I have banned the following IPs. All users from any of the following are blocked from accessing the lyceum web site.

While this is probably blocking some legitimate visitors, it seems to be the best strategy that Lyceum has available. There are not enough hours in the day to maintain the web site if known attackers are not barred at the door. I am open to suggestions about possibly better approaches. My limited knowledge on web security is about 15 years out of date and I have no intention of trying to study up on the techniques and keep up with the rapidly changing world of cybercrime and cybercrime fighting.

Current IP addresses being blocked:

Server Setting Beginning IP Ending IP Comment
117.195.163.36 117.195.163.36 117.195.163.36 India. PHP attacks 201308
120.43.4.146 120.43.4.146 120.43.4.146 China. PHP reports probably now clean. BSc says spam 201409
162.216.112.233 162.216.112.233 162.216.112.233 USA. SFS spam 201407; AHA 201409
162.244.8.219 162.244.8.219 162.244.8.219 USA. AHA spam 201406
165.231.1.241 165.231.1.241 165.231.1.241 South Africa. SFS 201406; BSc 201406
183.207.228.12 183.207.228.12 183.207.228.12 China. BSc 201406; SFS 201408
188.165.25.33 188.165.25.33 188.165.25.33 Lithuania. SFS 201405
192.95.41.108 192.95.41.108 192.95.41.108 Canada. SFS 201406
198.50.134.68 198.50.134.68 198.50.134.68 Canada. AHA 201406
198.50.253.80 198.50.253.80 198.50.253.80 Canada? no longer blacklisted
222.77.204.62 222.77.204.62 222.77.204.62 China. PHP 201409; SFS 201409
37.230.117.90 37.230.117.90 37.230.117.90 Russia. no longer blacklisted
62.219.8.239 62.219.8.239 62.219.8.239 Israel. PHP 201409
63.141.234.154 63.141.234.154 63.141.234.154 USA. PHP 201404
68.173.166.112 68.173.166.112 68.173.166.112 USA, Time-Warner Cable.
69.175.60.107 69.175.60.107 69.175.60.107 USA. PHP 201406
69.89.31.160 69.89.31.160 69.89.31.160 USA. PHP 201006
74.220.195.51 74.220.195.51 74.220.195.51 USA. No blacklisting
79.140.232.103 79.140.232.103 79.140.232.103 Kazakhstan. No blacklisting
83.60.3.223 83.60.3.223 83.60.3.223 Spain. No blacklisting
85.195.72.11 85.195.72.11 85.195.72.11 Germany. No blacklisting
91.236.75.44 91.236.75.44 91.236.75.44 Poland. PHP 201406; SFS 201409
92.63.81.197 92.63.81.197 92.63.81.197 Latvia. SFS 201404
94.222.217.86 94.222.217.86 94.222.217.86 Germany. No blacklisting.
96.127.189.59 96.127.189.59 96.127.189.59 USA. PHP 201403; SFS 201406
96.44.145.171 96.44.145.171 96.44.145.171 USA. SFS 201409; AHA 201409

The comments are mine, distilled from what I have gleaned on googling the ISP. Comments typically mention country of origin, resource(s) used in determining likely severity & frequency of future attacks, dates of last recorded wrong doing.

Resources used:

Removing block on these IPs:

I put some of these IPs on the blacklist before I was good at using resources like Project Honey Pot, etc, to verify the bad behavior. Also as a rule IP managers police their clients and bad IPs may become good IPs over time. So the list of blocked IPs needs pruning, and will need pruning from time to time in the future.

Server Setting Beginning IP Ending IP Comment
162.244.8.219 162.244.8.219 162.244.8.219 USA. AHA spam 201406
192.95.41.108 192.95.41.108 192.95.41.108 Canada. SFS 201406
198.50.134.68 198.50.134.68 198.50.134.68 Canada. AHA 201406
198.50.253.80 198.50.253.80 198.50.253.80 Canada? no longer blacklisted
63.141.234.154 63.141.234.154 63.141.234.154 USA. PHP 201404
68.173.166.112 68.173.166.112 68.173.166.112 USA, Time-Warner Cable.
69.175.60.107 69.175.60.107 69.175.60.107 USA. PHP 201406
69.89.31.160 69.89.31.160 69.89.31.160 USA. PHP 201006
74.220.195.51 74.220.195.51 74.220.195.51 USA. No blacklisting
83.60.3.223 83.60.3.223 83.60.3.223 Spain. No blacklisting
85.195.72.11 85.195.72.11 85.195.72.11 Germany. No blacklisting
94.222.217.86 94.222.217.86 94.222.217.86 Germany. No blacklisting.
96.127.189.59 96.127.189.59 96.127.189.59 USA. PHP 201403; SFS 201406
96.44.145.171 96.44.145.171 96.44.145.171 USA. SFS 201409; AHA 201409

These are no longer appropriate. The ones that had never appeared on another blacklist were banned for excessive requests for non-existent pages with random page names. Some of these were probably juvenile attempts to DOS the web site, others may have been some form of automated probing, etc.

(1) Will, in my role as Communications Director

Author: Will

I was born at a very young age but I am older than that now. As a young man I drove half a million miles in Boston taxis. Then I moved to Oregon and developed two careers as an RN over 28 years: the first as a clinical nurse mostly in ICU, then later in Nursing Service Administration as an Informatics RN (but before that term was coined). In between RN work, I picked up an ADSc Business Computer Programming and provided PC network installation, maintenance and repair for 10 years. I eased into retirement beginning in 2003 and was fully retired in 2010. But I have continued to develop and manage websites and my skills are current with HTTP/CSS, PHP, Apache, SQL, etc. I have a strong preference for Ubuntu Linux boxes and Dokuwiki websites. I have a strong dislike of WordPress, which, although it is technically very well done, has created one of the worst cesspool ecosystems I have ever encountered. Still it is sometimes the best tool for the job, more is the pity. I have followed pagan paths for 50 years and I have about 3 yards of bookshelves devoted to pagan thought and practice. I am a perfectly eclectic technopagan heavily influenced by Victor Anderson's Feri practice but comfortable with Gardner derivatives, Zennist ways, and totemic/shamanist practices. I have recently been made the Steward of the Lyceum Of Trees. So I am Will Steward, Steward. Make of that whatever you will.