There is some idiot out there running a bot/attack protocol using a referring URL that always ends with ‘.eu.tt’.
Turns out that there was more than one IP involved. IPTABLES took care of them.
/sbin/iptables -A INPUT -s 126.96.36.199 -j DROP /sbin/iptables -A INPUT -s 188.8.131.52 -j DROP /sbin/iptables -A INPUT -s 184.108.40.206 -j DROP /sbin/iptables -A INPUT -s 220.127.116.11 -j DROP /sbin/iptables -A INPUT -s 18.104.22.168 -j DROP
Please use DROP. This stalls the buggers, as they get stuck in an endless trap of trying to open a TCP connection with your server.
Does anyone know of a server that has an open DROP rule for Port 80? This would be a useful online tool for folks who can re-direct annoying traffic through server configs, but who can’t control the firewall or IPTABLES.
Simple set-up. Get a domain, register it. Get a DNS record to say that www.foobar.com is the macines IP Address. Then use IPTABLES to DROP all Port 80 inbound traffic. Publish the URL. Watch the fun!
What’s the fun? Well, when you publish the address and explain that anyone can use targetted re-directions to send unwanted traffic to this place of lost TCP connections, and annoying bots get stuck.
It’s a simple IPTABLES rule. For my machine, it would be:
/sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 80 -j DROP
Which, in IPTABLES speak, means “Any [-s 0/0] inbound traffic on network interface eth0 [-i eth0], headed for TCP port 80 [–dport 80], should be quietly dropped [-j DROP]”.
Please do not try this on a production server! All of your HTTP traffic will disappear! However, you could re-write it slightly, and still preserve port 80 for standard HTTP, like, statistics on the distinct IPs stuck in your flypaper.
Change ‘http://www.foobar.com/’ to ‘http://www.foobar.com:9080/’ and adjust the IPTABLES rule accordingly.
/sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 9080 -j DROP
Ok, my rant is done. Have fun, and use these tools wisely.