Remember a while back I predicted that bots would evolve to use random IPs and random user agent strings and it's already happening. Good thing I had already planned for this contingency and was ahead of the curve waiting for them when they tried this trick.
Not 100% positive, but it looks like it all kind of started with this very prolific bot called T8Abot/v0.0.7-beta (3724461@gmail.com) which seems to get around.
The most I can find about it without wasting too much time is this reference:
unknown bot, hosted by FDC Servers, fdcservers.net, US. Massive operation using many IP addresses (66.90.110.199 ... 66.90.110.254)That bot seems to have gone away, at least it doesn't visit my site anymore, maybe they noticed it was being blocked by user agent string.
However, it didn't go away and they have changed their tactics as I'm seeing the following [small sample] from the same IPs:
06:44:13 66.90.95.225 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
06:44:32 66.90.95.249 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; InfoPath.1)"
06:45:44 66.90.95.243 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
06:45:49 66.90.95.249 "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
06:45:53 66.90.95.249 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
06:45:54 66.90.103.69 "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
06:45:59 66.90.95.225 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.54 [en]"
06:46:07 66.90.95.245 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; InfoPath.1)"
06:46:10 66.90.95.245 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; InfoPath.1)"
06:46:19 66.90.103.69 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
06:46:27 66.90.95.245 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
06:46:28 66.90.95.243 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
06:46:37 66.90.95.245 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; InfoPath.1)"
06:46:39 66.90.103.69 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
06:46:40 66.90.95.216 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
06:46:41 66.90.95.211 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 7.60"
06:46:43 66.90.95.211 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.54 [en]"
Lots of requests per minute coming from a dedicated hosting operation, doesn't appear to be dial-ups or broadband, and the same IPs used to claim to be T8Abot but I think they unleashed this random IP/random user agent that they thought would fly under my radar.
Too fucking bad, I built a better mousetrap, you STILL got caught, try again.
I would block everything in the fdcservers.net range: 66.90.64.0 - 66.90.127.255
The important thing with this particular excercise that my long term profiling strategy is paying off by extended profiling of bad neighborhoods. Once IPs start to set off a few traps it becomes obvious where the problem children are as they unwittingly expose themselves.
No comments:
Post a Comment