| 2:05 am on May 23, 2013 (gmt 0)|
Google's PageSpeed Insights is now using Amazon AWS to generate website performance reports. IPs vary.
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36 PTST/111
| 2:14 am on May 23, 2013 (gmt 0)|
Here is the IP list. Notice the Verizon IP. All of these hits (plus the duplicates I deleted) was generated from one performance report.
| 2:26 am on May 23, 2013 (gmt 0)|
Sorry for the multiple posts. I have a lot of data to sort through.
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; PTST 2.295)
Only the 74.125. range used the X_headers I posted above. Looks like this service still has some bugs:
Mozilla/5.0 (en-US) AppleWebKit/[WEBKIT_VERSION] (KHTML, like Gecko) Chrome/[CHROME_VERSION] Safari/[WEBKIT_VERSION] pss-webkit-request
| 7:03 pm on Jun 5, 2013 (gmt 0)|
New (to me) amazon IP range...
126.96.36.199 - 188.8.131.52
Found, oddly enough, by a report that amazon(.)in was now active. The Indian web site is apparently hosted in Ireland.
All MX records for the domain are in Amazon US ranges.
No indication of dates in DNS so no idea when the range was registered.
| 7:08 pm on Jun 5, 2013 (gmt 0)|
Good find, thanks!
| 2:40 am on Jun 10, 2013 (gmt 0)|
And in the future some of the bad bots coming to you from AWS might be from the CIA
| 6:48 pm on Jun 10, 2013 (gmt 0)|
Maybe bots, but from commentaries this week it seems that the garnered data from such as verizon and others ("possibly" including facebook and G) is being processed by cloud-based computers.
Which, given the potential vulnerability and actual use by criminals of cloud-based services, is very scary!
| 2:05 am on Jun 11, 2013 (gmt 0)|
I bumped into that the other day too, but in a very slightly different range:
inetnum: 184.108.40.206 - 220.127.116.11
descr: Amazon Data Services Ireland
An undesirable visitor showed up and it was just barely outside an OVH block so I ran a whois and got that info.
| 10:53 pm on Jul 17, 2013 (gmt 0)|
Query: Is Merck simply selling off the 54. range piece by piece to Amazon?
18.104.22.168 - - <snip> "GET /ebooks/perez/Perez.html HTTP/1.1" 200 11940 "http://yandex.ru/yandsearch?text=the+perez&lr=213" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
22.214.171.124 - - <snip> "GET /ebooks/perez/Perez.html HTTP/1.1" 200 11940 "http://yandex.ru/yandsearch?text=the+perez&lr=213" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
... in each case accompanied by a full complement of supporting files with plausible timing. If there hadn't been two of them, I would never have noticed.
To forestall the obvious rejoinder: MSIE 6 gets a free pass under certain circumstances. Once of those is an apparent search-engine query. I don't know what "lr=213" (that exact number) means, but I am now going to block it independently, because I have only seen it in forged yandex referers.
Further puttering around reveals that 54.222-223, which I'd somehow got flagged as Australia, is in fact Amazon China. Click! And still further puttering suggests that all of 126.96.36.199/10 now belongs to assorted tentacles of Amazon. Some of them look definitely humanoid, which is annoying.
| 7:32 pm on Jul 18, 2013 (gmt 0)|
Thanks Lucy, didn't have this range:
188.8.131.52 - 184.108.40.206
| 8:25 pm on Jul 18, 2013 (gmt 0)|
Lucy - thanks for the downward extension. I only had it down to 208 before now. I now have the range 54.192/10 blocked (ie everything from 192).
I now have 28 ranges for Amazon, all blocked, deserved or not.
I've recently been reviewing my proxy blocking policy: a lot of mobile devices are coming from proxies. Specifically I notice a lot of hits are using amazon IPs as proxies. They are out of luck but I think I'm going to check for proxy+amazon and show a warning page: "Do not use Amazon!".
| 6:46 am on Oct 28, 2013 (gmt 0)|
Latest hits from AWS, just in the last fifteen minutes:
| 8:25 pm on Oct 28, 2013 (gmt 0)|
The upper /10 of 54 is all amazon. See an earlier posting for latest amazon ranges.
| 9:47 pm on Oct 28, 2013 (gmt 0)|
|a lot of mobile devices are coming from proxies. Specifically I notice a lot of hits are using amazon IPs as proxies |
I've noticed this as well. In the last couple months I've received a couple emails from different users asking why they're being blocked. Tracing it back, they were either tablet or mobile phones coming from Amazon ranges.
| 10:08 pm on Oct 28, 2013 (gmt 0)|
|Tracing it back, they were either tablet or mobile phones coming from Amazon ranges. |
Are there distinct subranges where you can poke holes? Or do you detour to check for an X-Forwarded-For header? (Assuming there was one.)
| 12:35 am on Oct 29, 2013 (gmt 0)|
I haven't been looking at the ranges long enough to determine whether they were assigned, or just an open proxy that moves dynamically as available. As we know, Amazon is not forthcoming with their customer info.
Now that you bring it up, I may add some conditions to get a better watch with headers.
| 7:51 pm on Oct 29, 2013 (gmt 0)|
I block amazon, period. If I detect an IP being used for proxying I issue a warning** on the reject page to the effect they should use direct IP access. This also applies to some G, Y and other proxy sources.
** that's if I already know the forward-for IP is a valid DSL line. If it's a server they are on their own; if I do not yet know its status, they are on their own until I parse it later in the day.