A bunch of 10.*.*.* IPs in my referrer logs

Forum Moderators: phranque

Message Too Old, No Replies

A bunch of 10...* IPs in my referrer logs

What are they?

jake66

6:15 am on Mar 8, 2008 (gmt 0)

When I do a whois on one of these addresses, I get:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information:
Comment: [arin.net...]

the link doesn't give me any answers (that I can understand), but I noticed this ip:
192.168.0.0 ...similar to my router.

So is somebody simply accessing my site from their home network?

The "referring page" is always something strange like:
*.*.*.*:*/cgi-bin/blockOptions.cgi
or
*.*.*.*:*/cgi/warn.cgi

They appear 2-4 times a month, each and have been for the past 6+ months.

If I block all 10.* IPs via htaccess, will I also block people with IPs like:
65.10.... etc. etc...

SEOMike

8:08 pm on Mar 10, 2008 (gmt 0)

The 10.* and 192.* IP blocks should not appear on the internet:

The [address blocks you mentioned] are reserved for use on private networks, and should never appear in the public Internet. There are hundreds of thousands of such private networks (for example home firewalls sometimes make use of them). The IANA has no record of who uses these address blocks. Anyone may use these address blocks within their own network without any prior notification to IANA.

from: [iana.org...]

The blackhole servers are part of IANA that you normally shouldn't see. The servers respond to inverse queries regarding non-routable IPs. (private IPs) Basically, if your network is asking the internet for something that's not supposed to be out there, the blackhole servers will respond. A local address of 192.* or 10.* should not be leaking out from your local network, and since they are, someone has to answer the DNS's question. The DNS asks what server those IPs belong to, and the answer to that comes from the IANA.org servers. You need to get your network admin to look at this because it appears that your local IPs are "leaking" onto the internet.

jake66

4:45 am on Mar 11, 2008 (gmt 0)

How can I be sure that these IPs are actually coming from me? I don't use any .cgi scripts on any of my sites and neither does anyone on my server (a few relatives, all of which I have full access to their sites and I've checked).

jdMorgan

5:02 am on Mar 11, 2008 (gmt 0)

These are typically referrals from networks using content filters (note "blockOptions," as in "Block this site").

Instead of looking at the referrer IP address, it's generally more useful to look at the requesting IP address.

Jim

jake66

6:55 am on Mar 11, 2008 (gmt 0)

The 10.*** IP is actually the requesting IP. It shows up in my logs as a "website" under referring pages.

If you mean to catch them when they're online, I've never been able to spot them in action to see if the person's IP was the same. Is there a way to check some sort of logs for that?