Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Mar 2003 12:07:46 -0500
From:      Louis LeBlanc <leblanc+freebsd@keyslapper.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Annoying RedAlert.com activity
Message-ID:  <20030329170746.GA76439@keyslapper.org>
In-Reply-To: <3.0.5.32.20030329082518.0142ed68@sage-one.net>
References:  <3.0.5.32.20030329082518.0142ed68@sage-one.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 03/29/03 08:25 AM, Jack L. Stone sat at the `puter and typed:
> This is semi-OT, but is a FBSD firewall question.
> 
> Every day, I see this in the logs:
> 65.194.51.136 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.133 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.131 - - [29/Mar/2003:00:26:49 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.135 - - [29/Mar/2003:00:26:50 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.132 - - [29/Mar/2003:00:26:52 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.134 - - [29/Mar/2003:00:26:55 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.155 - - [29/Mar/2003:00:28:24 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.156 - - [29/Mar/2003:00:29:14 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.137 - - [29/Mar/2003:00:30:45 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.154 - - [29/Mar/2003:00:34:13 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.152 - - [29/Mar/2003:00:34:21 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.151 - - [29/Mar/2003:00:34:50 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.165 - - [29/Mar/2003:00:34:52 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 
> Question:
> At the "redalert.com" web site, they claim to be a server monitoring
> service, but I've never signed up for the service and don't want this daily
> waste of BW that appears on all of my web servers. It is annoying and I
> would like to block their network via the firewall.
> 
> Based on the above, what would be the best choice of how to block the network:
> 65.194.51.?/?
> 
> Thanks for any suggestions....

I'd start with any of the 'contact us' links that are probably all
over their website.  You never know, they may have inadvertently
started monitoring your websites, or your upstream provider might have
signed themselves or you up.  If it has something to do with your
upstream provider, bring up the added bandwidth issue, and ask how
that affects your monthly bill.  I'm sure someone can simply stop
these hits at the source.

Failing that, look up the IP block and just block that range:
$ whois -h whois.arin.net 65.194.51.165  
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
                                  65.192.0.0 - 65.223.255.255
Keynotes systems UU-65-194-51 (NET-65-194-51-0-1)
                                  65.194.51.0 - 65.194.51.255

This is a pretty broad range, so you might want to start with a range
you know redalert uses (.131-.165), then just expand it as you get new
messages.

HTH
Lou
-- 
Louis LeBlanc               leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     ԿԬ

Many a writer seems to think he is never profound except when he can't
understand his own meaning.
    -- George D. Prentice



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030329170746.GA76439>