Covenant Eyes meets AboveNet - Crawler, Spider, and User Agent ID forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Covenant Eyes meets AboveNet

lucy24

11:00 pm on Nov 1, 2015 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Good description of their activities from jdMorgan here [webmasterworld.com].

Personal opinion: anyone who requests all supporting files* associated with a page they have already been 403'd from deserves to be blocked. I mean, they've already got the information they came in for, haven't they?

69.41.0.0/20: check
(They seem to have 69.41.14.215 and ..130 allocated to me, as they've never used anything else)

64.124.98 within AboveNet 64.124.0.0/15: check
(Log check says they've never used anything but the exact IP 64.124.98.9 -- on unrelated visits spanning several years)

Now, what's with
128.177.108 within 128.77 also AboveNet?
(And again: nothing but 128.177.108.218) Obviously part of the package, but as with 64.124.etcetera they won't come out and say so, where "say so" = show up by name in ARIN searches.

Cross-check with ARIN turns up two almost-adjacent IPv6 ranges
2607:F038:FFFF:1:: - 2607:F038:FFFF:1:FFFF:FFFF:FFFF:FFFF
2607:F038:FFFE:: - 2607:F038:FFFE:FFFF:FFFF:FFFF:FFFF:FFFF
but nothing in IPv4.

Aside: What the heck is AboveNet, anyway? They're not servers, so you can't just block them; I've found humans from nearby IPs.

* They've visited in the past, but really came to my attention when they landed on one of my games, which by their nature have so many supporting files, I routinely find 503 errors in logs. This is the internet equivalent of jumping up & down waving your arms and shouting.

keyplyr

2:23 pm on Nov 2, 2015 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I would like to allow Covenant Eyes (as I do other content monitoring services) since my publications are used by schools, libraries, etc however I continue to get vulnerability probes from their ranges. From today...

"GET / HTTP/1.0" 403 1498 "-" "-"
"GET /wp-login.php HTTP/1.0" 403 1498 "-" "-"
"GET /administrator/index.php HTTP/1.0" 403 1498 "-" "-"
"GET /user HTTP/1.0" 403 1498 "-" "-"
"GET /admin.php HTTP/1.0" 403 1498

These are either infected machines or possibly the security software itself pushing the limits of my tolerance, so they remain blocked but by UA.

What the heck is AboveNet, anyway? They're not servers, so you can't just block them; I've found humans from nearby IPs.

zayo.com (formerly Abovenet) is absolutely servers. Some nodes are allocated for cloud, some for residential connectivity, but most for international business services (dark fiber, data storage, corporate intranet, data center & collocation.)

I've seen a lot of bad behavior coming from them over the years, so I allow all their ranges (about a dozen) but with conditions. They do have a range allocated for mobile connectivity. Also several schools host there (example: Julliard School of Music.)

lucy24

9:38 pm on Nov 2, 2015 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

so they remain blocked but by UA

Since their UA is still the same FF 3.0 that they used 5 years ago (it's quoted somewhere in the thread I linked to above), I definitely don't need to take any special action ;)

Also several schools host there (example: Juilliard School of Music.)

Yikes. I don't suppose I have any content that would be attractive to Juilliard*, but they're certainly not someone I would want to block.

* Couldn't figure out where the "i" went so I looked it up. Aha: it goes in both places. Sometimes, darn it, google's second-guessing is good for something.

keyplyr

1:50 am on Nov 3, 2015 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Whoops... guess I'm just geared toward improvisation

lucy24

2:42 am on Nov 3, 2015 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

:: insert wisecrack about Juilliard vs. Berklee here ::