Re: What is ipfw telling me ?

From: appleseed@hushmail.com
Date: 06/29/01 

From: appleseed@hushmail.com
Date: Fri, 29 Jun 2001 14:05:12 -0500 (PDT)
To: To:@hushmail.com, George.Giles@mcmail.vanderbilt.edu

Sup,
# First I check to see who controls the subnet attacking u
define.northern_ % host -t ns 46.239.216.in-addr.arpa
46.239.216.in-addr.arpa name server NS2.GOOGLE.COM
46.239.216.in-addr.arpa name server NS3.GOOGLE.COM
46.239.216.in-addr.arpa name server NS4.GOOGLE.COM
46.239.216.in-addr.arpa name server NS1.GOOGLE.COM

# looks like our friend Google.com controls the NS at least.
# lets check to see if these are really google's hosts by picking
# random nodes
define.northern_ % host -t any 216.239.46.1
1.46.239.216.IN-ADDR.ARPA domain name pointer crawl1.googlebot.com
define.northern_ % host -t any 216.239.46.90
90.46.239.216.IN-ADDR.ARPA domain name pointer crawl4.googlebot.com
define.northern_ % host -t any 216.239.46.127
127.46.239.216.IN-ADDR.ARPA domain name pointer crawl5.googlebot.com
define.northern_ % host -t any 216.239.46.200
200.46.239.216.IN-ADDR.ARPA domain name pointer crawl8.googlebot.com
define.northern_ % host -t any 216.239.46.254
254.46.239.216.IN-ADDR.ARPA domain name pointer sjbi1-gige-6-1.google.com
define.northern_ %

According to our findings (and PTR->A lookup confirms) this subnet consists
mainly
of Google's botnet, which, scours the net searching for new sites to index.
;-)
I am going to assume here that someone is not spoofing google just to target
your host on port 80. More than likely its just good `ol Google trying to
see if you
have anything interesting to index on your website (if u have one). If you
want to
close off access to that subnet creating incoming tcp/udp sessions I suggest
u
upgrade to ipf (;-)) and define keep state rules as well as deny incoming
session
initialization attempts. This way u can still access google's nifty database
but they
cant access u =)

much love..
northern_

Free, encrypted, secure Web-based email at www.hushmail.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • gdm hangs
    ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
    (Debian-User)
  • problem with sendmail in solaris 9
    ... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
    (SunManagers)
  • Re: Add new cluster and use existing LUNs?
    ... Storport driver and Powerpath on all of our SAN host servers so we are trying ... In the end I think that I may play it cautious and create a new RAID group, ... > varied activity (DBMSes, Messaging Server, File Server, Web Servers, ... Some of the physical spindle limitations can be addressed through the SAN ...
    (microsoft.public.sqlserver.clustering)
  • Log corruption on multiple webservers, log analyzers,...
    ... Related RFC´s about Internet Host Names convention: ... To succesfully attack a server with “ILLC” technique is mandatory that web ... a machine with a host name as "123.123.123.123" makes a request ... wouldn't appear in the access log file. ...
    (Bugtraq)
  • UPDATE weird sendmail problem on Solaris 9 (fwd)
    ... I was asked to supply info about my sendmail config and my nsswitch.conf ... names that should be exposed as from this host, ... # list of locations of user database file ... # SMTP STARTTLS server options ...
    (SunManagers)