It appears after the latest attempt to drop the connection from spammers at IP level, traffic has come to normal level.
To read about the issue and resolution follow these links:
Graph showing traffic returning to normal:
Thursday, February 19, 2009
Tuesday, February 17, 2009
After disabling proxy on my server, I still see traffic on my server being high (My monthly quota might not exceed at this rate but takes up 50% of Bandwidth). Looking at access log it appears that requests hasn't stopped though they are getting 403 error. So requests coming to server and 403 response by itself is making up few GB worth a data every day. So decided to block these requests at IP level rather than proxy level. First I needed to get all unique IP addresses that needs to be blocked. That was easy to considering my log format being:
184.108.40.206 - - [17/Feb/2009:05:08:48 -0700] "GET http://ad.yieldmanager.com/imp?z=10&s=425858&u=http%3A%2F%2Fwww.popflashgames.com%2Findex.html HTTP/1.0" 403 388 "http://www.popflashgames.com/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0"
So I needed to get all the 403 message lines (access error's) and get IP (first field in the log) and get unique values of those IP's. Simple uniqx command can generate that(output redirected to tmp file):
more myserver.access_log | grep ' 403 ' | cut -d' ' -f1 | sort | uniq > /tmp/block.txt
Now that I have all the IP's that need to be blocked I wrote a simple script to block all the IP's in the tmp file (using iptables -A INPUT -s IPAddress -j DROP). Here is the script:
# Drop all the spammers
SPAMIPS=$(egrep -v -E "^#|^$" /tmp/block.txt)
for spamip in $SPAMIPS
iptables -A INPUT -s $spamip -j DROP
To view all the blocked IP's use the command:
iptables -L -n
Posted by Kumar at 7:46 PM
Monday, February 16, 2009
Noticed something funny on my personal webserver. I was testing some proxy settings and left proxy setting on when done. Today morning when I tried to access my server, its unreachable. Checking on the log's there seem to be too many requests proxying through my web server. All the IP's seem to originate from China and destination seems to be Ad server:
220.127.116.11 - - [16/Feb/2009:12:07:27 -0700] "GET http://ad.spot200.com/imp?Z=728x90&s=533945&_salt=1697293642&B=12&m=2&u=http%3A%2F%2Fgifttiems.com%2F&r=1 HTTP/1.0" 302 - "http://ad.spot200.com/st?ad_type=iframe&ad_size=728x90§ion=533945" "Mozilla/3.01 (compatible;)"
18.104.22.168 - - [16/Feb/2009:12:07:27 -0700] "GET http://tag.contextweb.com/TAGPUBLISH/getad.aspx?tagver=1&if=0&ca=VIEWAD&cp=512141&ct=47581&cf=300X250&cn=1&cr=200&cw=300&ch=250&cads=0&cwu=http%3A%2F%2Fgoautoshop.com&mrnd=688840 HTTP/1.1" 200 438 "http://goautoshop.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
22.214.171.124 - - [16/Feb/2009:12:07:27 -0700] "GET http://ad.yieldmanager.com/imp?z=0&Z=0x0&s=494075&y=30 HTTP/1.1" 302 - "http%3A%2F%2Fwww.excellenceflash.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"
126.96.36.199 - - [16/Feb/2009:12:07:28 -0700] "GET http://ad.yieldmanager.com/imp?z=0&Z=0x0&s=564462&y=30 HTTP/1.1" 302 - "http%3A%2F%2Fwww.flash-animation.net%2Findex.html" "Mozilla/4.0 (compatible; MSIE 4.5; Mac_PowerPC)"
Not sure what these requests are but seems like someone is trying to bump their ad revenue. Immediately disabled proxy on my machine.
Lesson to learn: Never forget to turn off proxy settings in Apache.
Posted by Kumar at 11:22 AM