being flooded or attacked

Client Joined: Jun 23, 2006 Posts: 83

my site seems to be getting hit by this ip and another msn one im pretty new at this and would like to know if this can be stoped or is sentinal stoping it not sure thats why im asking what to do..

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Magnum>tracert 74.6.67.168

Tracing route to lj612194.inktomisearch.com [74.6.67.168]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.2.1
2 9 ms 9 ms 8 ms 10.99.64.1
3 10 ms 11 ms 9 ms pos0-2.oahuhiwaip-gsr1.hawaii.rr.com [24.25.225.
153]
4 9 ms 7 ms 8 ms srp5-0.oahuhimili-gsr1.hawaii.rr.com [24.25.224.
65]
5 9 ms 9 ms 9 ms pop1-hon-P2-1.atdn.net [66.185.137.61]
6 9 ms 9 ms 10 ms bb1-hon-P0-0.atdn.net [66.185.137.48]
7 86 ms 85 ms 86 ms bb1-sjg-P4-1.atdn.net [66.185.152.21]
8 86 ms 86 ms 86 ms pop2-sjg-P0-0.atdn.net [66.185.150.97]
9 82 ms 76 ms 75 ms Teleglobe.atdn.net [66.185.150.106]
10 77 ms 77 ms 78 ms if-7-0.core2.PDI-PaloAlto.Teleglobe.net [64.86.8
4.133]
11 77 ms 77 ms 78 ms if-1-0.mcore4.PDI-PaloAlto.teleglobe.net [216.6.
86.5]
12 153 ms 152 ms 154 ms if-4-0.mcore4.NQT-NewYork.teleglobe.net [216.6.8
6.14]
13 154 ms 153 ms 153 ms if-5-0.mcore3.NYY-NewYork.teleglobe.net [216.6.8
7.54]
14 141 ms 141 ms 143 ms if-6-0-0.core4.AEQ-Ashburn.teleglobe.net [216.6.
81.14]
15 147 ms 144 ms 142 ms 64.86.85.34
16 144 ms 153 ms 153 ms ge-1-0-0-p406.msr1.ac2.yahoo.com [216.115.96.211
]
17 158 ms 145 ms 156 ms g-10-0.bas-b2.ac2.yahoo.com [72.30.64.54]
18 144 ms 143 ms 147 ms lj612194.inktomisearch.com [74.6.67.168]

Trace complete.

C:\Documents and Settings\Magnum>

another one hit my site and there was at one time 454 visitors showing now i know there wasnt that many ppl visiting

Posted: Sat Nov 11, 2006 3:26 am

Well Inktomi is a bot used by Yahoo to crawl pages, so I don't think you are being attacked.

Is Sentinel sending you an email telling you that the IP is being banned?

If the bot isn't causing your site any problems then I would leave it as it is.

Posted: Sat Nov 11, 2006 4:42 am

Looks like a typical Slurp bot (inktomi).
This thing can be an absolute menace despite it being robots.txt friendly.
You can use this in htaccess to stop him dead in his tracks

Code:




<IfModule mod_rewrite.c>


RewriteEngine on


RewriteCond %{HTTP_USER_AGENT} Slurp


RewriteRule ^.*$ X.html [L]


</IfModule>

Or if you prefer Yahoo to crawl your site but a little less visourously, you can use this in robots.txt

Code:




User-agent: Slurp


Crawl-delay: 20

Some of your other hits does look like an attack - possibly looking for XSS vulnerabilities.

Posted: Sat Nov 11, 2006 4:43 am

Make sure your Sentinel Harvest blocker and Script blocker are turned on

Posted: Sat Nov 11, 2006 10:47 am

jakec wrote:

Well Inktomi is a bot used by Yahoo to crawl pages, so I don't think you are being attacked.

Is Sentinel sending you an email telling you that the IP is being banned?

If the bot isn't causing your site any problems then I would leave it as it is.

yes im getting tons of these:

Date & Time: 2006-11-10 23:11:22 EST GMT -0500
Blocked IP: 65.55.212.21
User ID: Anonymous (1)
Reason: Abuse-Flood
--------------------
User Agent: msnbot-media/1.0 (+http://search.msn.com/msnbot.htm)
Query String: www.islandtitanz.org/modules.php?name=Forums
Get String: www.islandtitanz.org/modules.php?name=Forums
Post String: www.islandtitanz.org/modules.php
Forwarded For: none
Client IP: none
Remote Address: 65.55.212.21
Remote Port: 21449
Request Method: GET
--------------------
DNSStuffDNSStuffSorry, you have triggered our rate limiting system. If you are reading this in a web browser, we apologize -- we want you to use the site as much as you like. What we do not like is when people use automated programs with our free service. We have the addresses uce@ftc.gov and fraud@ftc.gov here in case spammers are harvesting addresses from our site. Please go here for more details. Your IP is 65.254.38.234. Thanks!

Posted: Sat Nov 11, 2006 10:51 am

how do i protect against this XSS

Posted: Sat Nov 11, 2006 11:22 am

What version of Sentinel are you using? I would check the settings in Sentinel for the flood pretection. In theory bots shouldn't be triggering Sentinel, but it seems to be happening a lot recently.

Try adding a crawl delay like Guardian suggested. You can use something like:

User-agent: *
Crawl-delay: 20

and this will apply the same rule to all bots that obey the robots.txt file.

Posted: Sat Nov 11, 2006 11:23 am

Let us be clear - the inktomi/Slurp bot is not trying to conduct an XSS (cross site scripting attack), it is simply coming too fast for whatever setting you have specified in Flood blocker.
So as jakec stated, its not an atack as such.

Now, some of the *other* IP/domains you listed do look familiar which is why in my post I said that those could be looking for vulnerabilities and I asked you to make sure the Harvest and Script blockers are turned on.

If you need help finding the settings for those in Sentinel then I'll be happy to assist - they need to be set to "email,ban,default page" or if you do not want an email every time one gets banned, set them to "default page,ban".

Posted: Sat Nov 11, 2006 11:42 am

yes i did turn on the harvest and script blocker and it seems to have stopped this morning and ive added the user agent to the robot txt sentinal version is NukeSentinel(tm) 2.4.2pl5 is there a thread the says what all the setting in sentinal should be set too? btw thanks for all your help everyone.

Posted: Sat Nov 11, 2006 11:45 am

I would definately upgrade your Sentinel to the latest version.

The default settings are usually OK.

Posted: Sat Nov 11, 2006 12:29 pm

i dont see the upgrade patch for sentinal from 2.4.2pl5 to the newest in the d/l?

registered · Posted: Sat Nov 11, 2006 1:30 pm

Given so many changes, you will just need to download the full 2.5.03 package

Posted: Sat Nov 11, 2006 5:17 pm

hhmm i dont see 2.5.03 in the downloads only 2.5.1

Posted: Sat Nov 11, 2006 5:23 pm

Where are you looking? NSN?

Try here: http://www.nukescripts.net/modules.php?name=Downloads&cid=700

Posted: Sun Nov 12, 2006 2:26 pm

thanks for the link jakec