| 4:59 pm on Sep 27, 2013 (gmt 0)|
|Any idea what is that "DAPPER-HOST-IP" |
Sorry... don't know, don't care. I block Baidu:
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
What I do care about is whether I'm missing any Baidu ranges.
| 7:27 pm on Sep 27, 2013 (gmt 0)|
I have this range also:
18.104.22.168 - 22.214.171.124
it is allocated but not in use at the moment.
| 7:34 pm on Sep 27, 2013 (gmt 0)|
If it's Japan I let it through. If it's China it's blocked. One or more of my customers gets trade from Japan but not from China. I know it's likely the results are pooled but that's the way it is. :)
I've also had baiduspider (Hong Kong) visit from the European (RIPE) range of 126.96.36.199/22.
Why do you think 188.8.131.52/12 is baidu? DNS shows it as Unicom and it LOOKS as if it's (mostly) a DSL range. I have two baidu sub-ranges within that at 184.108.40.206/24 and 220.127.116.11/24. I have notes on another couple of /24 in that neighbourhood but no rDNS found (this was two or three years ago). Needless to say, China: blocked.
bhukkel - thanks for the new range!
[edited by: dstiles at 7:36 pm (utc) on Sep 27, 2013]
| 7:36 pm on Sep 27, 2013 (gmt 0)|
i have the same log entries only other page and dapper-host-ip. In my case it is a page that exists. Perhaps some kind of preview or translate service?
| 8:40 pm on Sep 27, 2013 (gmt 0)|
@bhukkel : the host in request's header is not my domain !
@keyplyr : i do care about Baidu , i have my share from Baidu and hao123 i cant block it all , the spider's IP and this Dapper have the same IP range .
My server can handle the requests and simply return 404 , but i want to know if this is safe , and are we missing something ? the requests is about 5k /day !
| 8:53 pm on Sep 27, 2013 (gmt 0)|
fwiw: if you go to dapper.net you get redirected to a Yahoo! Advertising page with that purple new* logo. Dapper also seems to be a Linux server.
67.228-229 is SoftLayer, another Shoot To Kill range.
That about sums it up.
* Idle query: would a non-native speaker recognize that this usage is wrong when not used for humorous effect?
| 3:51 am on Sep 28, 2013 (gmt 0)|
|Why do you think 18.104.22.168/12 is baidu? |
dstiles- in the early days of Baidu, it crawled from different spots in this range previous to its own assignments (you may be correct with your subs-ranges.) However since it is all China, I just broadened the block at some point. My notes say I added this range in 2005.
As I block absolutely everything from China I find, even if Baidu no longer uses this range, it matters not to me. It remains blocked, along with the other China Unicom and Chinanet ranges. But thanks for the heads-up. Always good to update my notes with current/accurate info :)
Thanks bhukkel, didn't have that one.
|67.228-229 is SoftLayer, another Shoot To Kill range |
Lucy - I have 22.214.171.124/16 as Softlayer (blocked), but 126.96.36.199/16 I have as VPLS.net a reseller biz hosting service, with the mothership being Krypt Technologies (blocked) a nefarious dedi/cloud server farm.
| 5:50 pm on Sep 28, 2013 (gmt 0)|
I didn't have the Krypt one but I do now. Thanks, Lucy. :)
A slight digression from topic but my full VPLS_Krypt list is now:
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
I try to be fair about China (Ukraine, Russia, Korea, etc). I mark them as potential trouble and block them from accessing some UK-only web sites. On others I let them through. If an IP causes trouble it gets temporarily blocked. If several IPs in a sub-range or complete range give trouble, the offending range is permanently blocked. Occassionally I'll check UCE-Protect and block permanently if they are on a serious blockage there. This does not, of course, pertain to servers, which are blocked anyway.
I do find that some Chinese districts seem to be worse than others either due to more aggressive "operators" or (more likely) more prone to getting viruses and hence becoming botnet members.
| 7:12 pm on Sep 28, 2013 (gmt 0)|
Thanks for the Krypt ranges dstiles. Didn't have 2 of those.
Well, China is indeed a complicated subject. Unfair as it may be, I just don't have the time to micro-manage those endless ranges.
| 8:36 pm on Sep 28, 2013 (gmt 0)|
|I try to be fair about China (Ukraine, Russia, Korea, etc). I mark them as potential trouble and block them from accessing some UK-only web sites. On others I let them through. If an IP causes trouble it gets temporarily blocked. |
I have some parts of the world on a "one-strike" rule. If I meet a bad robot from anywhere that turns out to be from Eastern Europe (in practice = Poland + former Soviet, greater leeway for Baltic) the range is generally blocked. Someone hereabouts said that IP addresses in this geographical area tend to be mixed human ISPs and servers, so you can't readily classify them as one or the other. The same may well apply to parts of southeast Asia, but I haven't met enough of them to bother with.
Don't know if other people's experience is similar. But robots from Brazil or Vietnam or whatnot tend to be one-offs, while a Ukrainian robot once established will keep hammering away forever.
|220.127.116.11/16 I have as VPLS.net a reseller biz hosting service, with the mothership being Krypt Technologies |
Well, if you want to spend time searching the corpses for ID, it's your lookout ;)
| 6:15 pm on Sep 29, 2013 (gmt 0)|
I haven't seen a great deal of mixed human/server anywhere as a policy. Depending on the country a lot of people decide to run servers from their broadband-based machines or have servers run for them by trojans/botnets. Some of this is evil users but the botnet stuff is usually lack of computer literacy or lack of a good OS (eg Windows clones, which MS will not (understandably) feed Updates to).
You are probably correct about Brazil, Vietnam etc and I would class those as probably "computer illiteracy" in some form.
Shame about Brazil because, in conjunction with some European countries and a few others, it's trying to build a new and safer internet. Already in demo, from what I can gather, but it will probably be a few more years yet. Certainly it's way past time someone built a decent internet. :(
Poland - I had a lot of dynamic IP hits last year and the year before but very little this year. It's not one I block as I would UA or RU, for example. My semi-blocked countries are:
| 5:26 pm on Oct 8, 2013 (gmt 0)|
|Host: subdomain.Not-my-domain.com |
This just means someone (or something, i.e. the bot) has set up his/her/its DNS or local hosts file to point this domain to your IP address. Because the request is for "subdomain.Not-my-domain.com", it will show up as such in your logs. God knows to what purpose, but there you go. It's harmless.
| 8:49 pm on Oct 8, 2013 (gmt 0)|
@robzilla , finally someone see how dangerous is this , but why Baidu is doing this ?
| 10:12 pm on Oct 8, 2013 (gmt 0)|
The IP addresses I've seen don't seem to be connected to Baidu (other than being Chinese). Example:
|18.104.22.168 - - [08/Oct/2013:18:04:34 +0200] "GET /contatoEstabelecimento.cfm HTTP/1.1" 404 1229 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)DAPPER-HOST-IP:22.214.171.124" |
126.96.36.199 - - [08/Oct/2013:18:11:22 +0200] "GET /felfel62003/calendar/20100416 HTTP/1.1" 404 1229 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)DAPPER-HOST-IP:188.8.131.52"
The "DAPPER-HOST-IP" addresses look pretty random to me.
| 12:31 pm on Oct 9, 2013 (gmt 0)|
It is not random, a fixed 20k hits /day , from same sub-net , the Whois data is :
China Beijing Beijing Baidu Netcom Science And Technology Co. Ltd.
when i blocked that Sub-net it stopped for 2 days then restarted with another IP registered for ( Baidu Netcom Science And Technology )
Either they are phishing their own customers or they have a messed up Proxy server !
| 3:02 pm on Oct 9, 2013 (gmt 0)|
yesterday i had 40k DAPPER-HOST-IP hits from different subnets but all from China.
| 9:20 am on Oct 10, 2013 (gmt 0)|
Might want to block user agents containing "DAPPER-HOST-IP" then.