Comments | bunn: IP's blocked

bunn

IP's blocked

Jan 03, 2017 12:49

Scrolling quickly through messages telling me which IP addresses have been autoblocked on various websites that I work on, because of dodgy-looking activity over the festive season, I notice that there is a sudden upswing in Russian and Ukrainian IP addresses. (My sites are almost all hosted in the UK, because dealing with the data wrangles of ( Read more... )

internet, technology, work, life is not like star wars

Comments 10

helflaed January 3 2017, 17:43:02 UTC

LJ have moved to servers in Russia- could this be it?

bunn January 3 2017, 17:58:02 UTC

It seems unlikely: none of my sites have anything to do with Livejournal, the only thing they have in common with LJ is me. It just struck me as unusual: usually it's all US and France, maybe a bit of China, India and Germany.

The number of attempts to get into them has increased vastly over the last few years and we have even been ddosed a bit - I don't think deliberately, I think probably just someone with a botnet being a bit overenthusiastic and filling in ALL THE FORMS at once. It's a pain.

bunn January 4 2017, 08:44:54 UTC

... though actually, you do have a point there, in that that's probably why I noticed it. If I'd riffled through the logs and suddenly it had all been Mexico or India, I'd just have assumed it was a blip. Because of all the blog posts about Russian servers, I stared at them trying to make sense of a pattern.

dhampyresa January 3 2017, 20:54:32 UTC

IT WEREN'T ME

bunn January 3 2017, 21:21:26 UTC

Wahaha!

I BET IT IS REALLY. THIS EXPLAINS SO MUCH.

dhampyresa January 5 2017, 21:45:38 UTC

YOU CAN'T PROVE NOTHING

kas2umi January 3 2017, 22:59:08 UTC

I don't know if this might help but could it be that someone has been using tor network to access them? I used to use tor a lot in the past year and I noticed that each time I logged into my Gmail account while using tor, I'd get a notification that someone from France/China/Italy etc. logged into my account. The country changed as I would change the settings of which IP route i was using.

Please do ignore my comment if it made no sense or was not at all helpful(i don't know much about these things haha)! >

bunn January 4 2017, 08:50:18 UTC

No, that does make sense! But these notifications are not just for visitors, they are for attempted attacks - ie, some software tried to guess a password, or submit a form with code in the submission, or access a location that would only exist if I was using some gadget that has a known vulnerability. Usually they do it repeatedly and the speed of resubmission is one way you can tell it can't be human.

So I don't think it's just people out there are using Tor to look at my websites, although probably they are, and some of them definitely have international audiences anyway. It was specifically the pattern among attacks that caught my eye.

kas2umi January 4 2017, 11:28:21 UTC

Oooh, I understand now. Thanks for the clarification! Dunno what more advice to give than to be careful if those attacks continue!

topum January 7 2017, 22:26:48 UTC

They had to limit the access to the Moldovan ministry's online database we are using in our work only to domestic Moldovan IPs because otherwise they were hacked dozens of times a day by someone in China, Poland, US, India, Russia. Apparently people will hack anything these days if some obscure Moldovan forestry database gets attacked multiple times a day.