Forum Moderators: open
I have someome or a Robot asking the same file over and over since a couple of hours.
I mean asking the same file a couple of times PER SECOND.
I looked up the IP at Sam Slade but it does not resolve.
Here is what I have in the Log File:
Host: 209.120.191.31 (This does not resolve to a valid DNS)
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Regards,
I have banned them
But now is is stuffing up my logs with several 403 error messages by second.
Meaning also that I am losing bandtwith with serving several 403 pages every time.
Regards
Sanuk
losing bandtwith with serving several 403
sanuk
I sent this same reply on another thread :(
Change your deny line to :
RewriteRule ^.*$ - [F]
This will result in ZERO bandwidth.
The 403 line will still read. Just no KB's
Thanks for the reply.
The problem has been solved in the meanwhile.
I contacted support (where my server is located) and they solved in the following way.
I am printing this here as this can maybe help someone in the future
############
I have instructed your server to not respond to any requests (ping or otherwise) from this address using the following line:
/sbin/route add -host 209.120.191.31 gw 127.0.0.1
You should no longer have problems with this IP.
############
And yes, as by magic everything has stopped, I was getting over 10 requests by second from 209.120.191.31
The only thing I would like to know is where he has put this line?
I had a look in HTaccess and it is not in there.
So I think it is somewhere in Apache/Config but i dont know where.
Regards and thanks again for the replies,
Sanuk
"I sent this same reply on another thread :( "
Regards,
Sanuk
You mean telnet (ssh in reality) with putty into the root and then type in "netstat -ran" (without the quotes)
I sthat what you mean?
I am a little new to all of this, the server is only a couple months old. Everything went so fast.
But surely, this line should to be written somewhere in a file inside the root?
Regards,
Sanuk
OrgName: Yipes Communications, Inc.
OrgID: YIPS
Address: 114 Sansome Street
City: San Francisco
StateProv: CA
PostalCode: 94104
Country: US
NetRange: 209.120.128.0 - 209.120.255.255
CIDR: 209.120.128.0/17
NetName: YIPES-BLK4
NetHandle: NET-209-120-128-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YIPES.COM
NameServer: NS2.YIPES.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-07-05
Updated: 2002-02-01
....
OrgAbuseHandle: ABUSE21-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-303-785-4450
OrgAbuseEmail: abuse@yipes.com
....
By the way Wilderness I dont understand what you mean with:
"I sent this same reply on another thread "
In the thread below you inquired of the same solution "too much bandwith on 403's,"
I replied with the same answer.
[webmasterworld.com...]
From what the support person wrote, I doubt that this is actually permenantly recorded on the machine, and only lives in the routing table. Ask your support person for more information. If the route is only recorded in the routing table, it will disappear when the system is rebooted.
Do not attempt to modify your routing table unless your really understand what you're doing. You can drop your box off of the network really quickly that way, and the only way you'll get it back up is to have the support person go out to the box's console and fix it.
[freebsd.org...] is FreeBSD's manpage for route(8). Depending on the OS of your machine, this may or may not apply. See also netstat(1): [freebsd.org...]
'whois -h whois.arin.net 209.120.191.31'
Yipes Communications, Inc. YIPES-BLK4 (NET-209-120-128-0-1)
RWE Americas Trading, Inc. YIPS-RWE-S01 (NET-209-120-191-0-1)
'whois -h whois.arin.net NET-209-120-191-0-1'
OrgName: RWE Americas Trading, Inc.
<snip>
NetRange: 209.120.191.0 - 209.120.191.255
.....................
NetGeo Results:
TARGET: 209.120.191.31
NAME: YIPS-RWE-S01
NUMBER: 209.120.191.0 - 209.120.191.255
<snip>
DOMAIN_GUESS: rwetradingamericas.com
GeorgeGG
Thanks DrBrian, i will take it up with support and not touch it myself.
For Widerness,
The problem is that this 403 by "RewriteRule ^.*$ - [F]" takes bandwidth on my site.
Every tine a custom 403 page is served and I also have an entry line for this 403 error in the log files.
In my case, the Redirect takes less bandwidth, with only about 300 bytes used for this redirect.
Maybe this has something todo with a different server setup
And also thanks to Littleman, I had also found that it came from an IP on the block of "Yipes Communications" and had send them an e-mail some 5 hours ago to complain.
Untill now I only got the following auto-reply e-mail back
###########
We have received your message regarding "www.yipes.com your IP 209.120.191.31 is spamming", the content of which appears below.
Your message has been assigned a tracking ID of 79828.
##########
I am thinking that what happened here is somekind of home made robot that started looping. But I will be happy to hear your Ideas about this matter.
Thanks to all for the replies
and greetings from Thailand
Sanuk
The problem is that this 403 by "RewriteRule ^.*$ - [F]" takes bandwidth on my site.
Every tine a custom 403 page is served and I also have an entry line for this 403 error in the log files.
sanuk: the rewrite rule ^.*$ - [F] does this:
1) it checks if the filename requested is has a start and an end (^ and $)
2) it checks if, between this start and end, there are any number of any type of character (.*)
3) if 1) and 2) are true the server will not serve anything to the client making a request (-)
4) also, the server will return the status code 403 Forbidden ([F])
Essentially, this means that any file requested will give a 403 error. But (i'll get to the heart of the matter now):
You have a customized 403 page. This page is probably located somewhere on the same host, and thus You will not get one 403-error, but actually two 403-errors per request.
Having a customized 403-page implies that this page has a file-name. But - as explained in 1) and 2) above - all request to all file names will return a 403.
This means that Your server will first serve the 403 for the original request (the one from host You want to ban) and then it will look for Your customized error document, as this should be presented in this case.
However, the server quickly finds out, that it cannot serve documents with any filename to this host, which implies that it generates two 403-errors - one for the originally requested document, and one for the customized error document.
Try this in stead:
RewriteRule!^.*403\.htm$ - [F]
Assuming that the filename of Your error-document is "403.htm" (and that no other filenames on Your domain ends in "403.htm") - this sentence will deny access to any document-filename that:
1) does not match the following (!)
2) it has a start and an end (^ and $)
3) at the start there can be any characters any number of times (.*)
4) the filename contains "403.htm" (403\.htm)
5) and nothing follows the "m" in "htm" (m$)
Meaning: all other requests than the ones ending in "403.htm" will result in a 403-error.
Implying: The original request from the unwanted host will result in only one 403-error per request in stead of two.
Sideeffect: Your customized 403-page will be shown, as presumably intended :)
This should confuse Your server a little less, plus: it will reduce the 403-codes by 50%
Hope it helps.
/claus
RewriteRule!^.*403\.htm$ - [F]
oops, syntax error: please note that there should be a space between the "RewriteRule" and the "!"
The right syntax is:
RewriteRule !^.*403\.htm$ - [F]
-sorry about that, it seems that this forum has a problem with spaces in some instances. There should be one space only, but I cannot make the forum accept it although it looks okay in the preview. Hope it's okay now.
/claus
