Date: Fri, 29 Jun 2001 14:05:12 -0500 (PDT) From: appleseed@hushmail.com To: To:@hushmail.com, George.Giles@mcmail.vanderbilt.edu Cc: Cc:@hushmail.com, freebsd-security@FreeBSD.ORG Subject: Re: What is ipfw telling me ? Message-ID: <200106292115.OAA06336@user7.hushmail.com>
next in thread | raw e-mail | index | archive | help
--Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF Content-type: text/plain Sup, # First I check to see who controls the subnet attacking u define.northern_ % host -t ns 46.239.216.in-addr.arpa 46.239.216.in-addr.arpa name server NS2.GOOGLE.COM 46.239.216.in-addr.arpa name server NS3.GOOGLE.COM 46.239.216.in-addr.arpa name server NS4.GOOGLE.COM 46.239.216.in-addr.arpa name server NS1.GOOGLE.COM # looks like our friend Google.com controls the NS at least. # lets check to see if these are really google's hosts by picking # random nodes define.northern_ % host -t any 216.239.46.1 1.46.239.216.IN-ADDR.ARPA domain name pointer crawl1.googlebot.com define.northern_ % host -t any 216.239.46.90 90.46.239.216.IN-ADDR.ARPA domain name pointer crawl4.googlebot.com define.northern_ % host -t any 216.239.46.127 127.46.239.216.IN-ADDR.ARPA domain name pointer crawl5.googlebot.com define.northern_ % host -t any 216.239.46.200 200.46.239.216.IN-ADDR.ARPA domain name pointer crawl8.googlebot.com define.northern_ % host -t any 216.239.46.254 254.46.239.216.IN-ADDR.ARPA domain name pointer sjbi1-gige-6-1.google.com define.northern_ % According to our findings (and PTR->A lookup confirms) this subnet consists mainly of Google's botnet, which, scours the net searching for new sites to index. ;-) I am going to assume here that someone is not spoofing google just to target your host on port 80. More than likely its just good `ol Google trying to see if you have anything interesting to index on your website (if u have one). If you want to close off access to that subnet creating incoming tcp/udp sessions I suggest u upgrade to ipf (;-)) and define keep state rules as well as deny incoming session initialization attempts. This way u can still access google's nifty database but they cant access u =) much love.. northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106292115.OAA06336>