HRWiki talk:ProxyBlocks

From Homestar Runner Wiki

Contents 1 FAQ 2 Proxy Listing 3 Different format 4 Alternate Whois Sources 5 IP's resulting in multiple ranges 6 Early returns 7 Most of them are done 8 Proxys for dumbies 9 Contacting the Proxy Managers 10 Netmask calculator 11 Another weird result 12 It's over! Or is it?

[edit] FAQ

• You may get an error on the Whois page if you try to do too many in one day. You do earn a trophy full of Steak-umms for doing such hard work, though.
• You may find two or more IPs that fall in the same range. Just put in the data like normal, and we'll cull out the duplicates later.
• Some of the Whois pages contain more info than others. Look for inetnum or NetRange or something similar.
• Some of the Whois pages already have listed the netmask. Look for CIDR.
  • These two instances are generally only found on the longer pages. Most pages, however, only supply the low and the high, and are therefore very short in length.
• If you get stuck, perhaps someone on the IRC channel is around to help.

[edit] Proxy Listing

Hi Dot com, I have a question: I was doing the very first node and the netmask returned:

netmask 12.173.164.0-12.173.164.255
12.173.164.0/255.255.255.0	12.173.164.0/0.0.0.255	12.173.164.0/ 24

I had to double check, but I indeed typed in the correct range. When following the example, the IP range without the netmask makes no sense. With the netmask it makes a little bit more sense but it still makes no sense. So... a) is this correct? b) do you guys need the netmask? c) if this affects other wiki's are there other groups doing the same thing? Are they "inter-collaborating"? --Stux 03:58, 16 November 2005 (UTC)

What doesn't make sense about it? Looks fine to me. The netmask is unnecessary, as it's implied by the /24. --Jay (Talk) 04:00, 16 November 2005 (UTC)

Maybe my terminology was incorrect, but the part we need is 12.173.164.0/ 24, with the slash and the two-digit number. — It's dot com 04:04, 16 November 2005 (UTC)

Edit Conflict Yeah but the range is from 12.173.164.0-12.173.164.0 implying one IP address? I am not too familiar with the last two notations: 12.173.164.0/0.0.0.255 and 12.173.164.0/ 24 and I wanna make sure i'm not missing anything. --Stux 04:05, 16 November 2005 (UTC)

I'm not totally sure what the first two numbers and masks mean, but what we're looking for is the last one, the one bolded above. — It's dot com 04:07, 16 November 2005 (UTC)

The mask is supposed to be a logical AND of the binary representation of the numbers, the first will return only the first 3 numbers, and the second only the 4th number. --Stux 04:09, 16 November 2005 (UTC)

Edit Conflict See Lapper seems to be getting different numbers: 12.173.164.0 || 12.173.164.255 is what he's (what seems to me correctly) reporting. --Stux 04:08, 16 November 2005 (UTC)

Also edit conflict'd The mask stuff (255.255.255.0, etc.) isn't important here. The actual range is the part where it says "12.173.164.0-12.173.164.255". What the /24 terminology means is that 24 bits remain the same in all addresses in the range. Each part of an IP address has eight bits, so this means that the first three parts will be the same for all addresses. The last eight bits (the entire fourth part) can be anything - but no part in an IP address can be larger than 255 (the largest number possible with eight bits.) If it was, say, /25 (and the fourth part was still zero) then only 7 bits could change, so the range would be 12.173.164.0-12.173.164.127, for instance. (This makes a lot more sense if you've taken several years of computer science, lemme tell ya.) --Jay (Talk) 04:11, 16 November 2005 (UTC)

Makes perfect sense, but again if you notice, the netmask calculator isn't giving me a 0-255 range it's giving me a 0-0 range. That's what I want to clarify. --Stux 04:14, 16 November 2005 (UTC)

What? It sure looks like it did from what you posted above. First line: "netmask 12.173.164.0-12.173.164.255" --Jay (Talk) 04:20, 16 November 2005 (UTC)

No no, "netmask 12.173.164.0-12.173.164.255" was the input shown on the top of the page, the output produced was the line just below it. With the 0-0 range. --Stux 04:24, 16 November 2005 (UTC)

Must be a different site. Anyway, the other terminology has a meaning, but it's not really all that important here (the 255.255.255.0 represents the bits that remain constant, and the 0.0.0.255 represents the variable bits.) --Jay (Talk)

No actually i got it from the same site that was provided in the link, it does that for all class C 0-255 thingy's. --Stux 04:35, 16 November 2005 (UTC)

[edit] Different format

Hey what about these... which number do you want? I am assuming that the range you want is 61.197.218.176 - 61.197.218.183.--Stux 04:12, 16 November 2005 (UTC)

Yes, that's right. — It's dot com 04:14, 16 November 2005 (UTC)

Cool thanks! --Stux 04:16, 16 November 2005 (UTC)

And, BTW, the proper notation for the range would be 61.197.218.176/29, if I did my math correctly (I seem to have misplaced my calculator...) --Jay (Talk) 04:18, 16 November 2005 (UTC)

That's what I got! BTW thank you for the explanation above, it made things a lot clearer Jay. --Stux 04:20, 16 November 2005 (UTC)

What about this one? It has a 24-bit range at the top (62.2.202.0 - 62.2.202.255) and lists 62.2.0.0/16 way at the bottom and nothing more. --Stux 04:23, 16 November 2005 (UTC)

The first part (62.2.202.0/24) is the one we need, I think. It's a subdomain of 62.2.0.0/16, but I don't think we need to block the parent domain. --Jay (Talk) 04:24, 16 November 2005 (UTC)

Noted! Sorry I keep pestering you like a little child... this one only seems to list its parent domain 61.232.0.0-61.237.255.255. --Stux 04:27, 16 November 2005 (UTC)

Not all domains are broken up - I think the #1 problem there is that we can't block entire domains with fewer than 16 constant bits in one go IIRC (that is, we can't block 61.232.0.0/13, but we could block each of the 16-bit domains individually... there would only be a few of them. Also, the second one looks like it should be 61.239.255.255, but that's not your fault.) --Jay (Talk) 04:30, 16 November 2005 (UTC)

And we probably won't be blocking anything bigger than /24 (by that I mean not /23 or below). But this is a good starting point. — It's dot com 04:37, 16 November 2005 (UTC)

Edit Conflict So you mean to say that the entry http://whois.sc/61.233.144.118 should have been http://whois.sc/61.239.144.118? --Stux 04:38, 16 November 2005 (UTC)

No, I mean the range should have been 61.232.0.0-61.239.255.255. But, yes, the Whois website is giving the 237 number. Maybe the company got two domains and/or the person who added them made a typo or was too lazy to put both domains separately? I dunno. --Jay (Talk) 04:43, 16 November 2005 (UTC)

Oh I see. So what should I put for the range? I got from that same site, when typing netmask 61.232.0.0-61.239.255.255 as input: 61.232.0.0/255.248.0.0 61.232.0.0/0.7.255.255 61.232.0.0/ 13 which is a pretty big range. (If i'm reading this correctly). --Stux 04:48, 16 November 2005 (UTC)

Just put the /13, and I guess it will all be sorted out later. --Jay (Talk) 04:50, 16 November 2005 (UTC)

Ok, sounds good -- again thanks! --Stux 04:51, 16 November 2005 (UTC)

What about this one? It turns up three ranges. Want me to just use the one that matches the physical location it reports at the top (Tanzania) or go with the one at the bottom? — User:ACupOfCoffee@ 16:18, 16 November 2005 (UTC) Or this one? — User:ACupOfCoffee@ 16:36, 16 November 2005 (UTC)

I'd go with the one that gives the smallest result, 63.109.249.88 - 63.109.249.95 — It's dot com 16:39, 16 November 2005 (UTC)

[edit] Alternate Whois Sources

I just got the following message from whois.sc:

To see the Whois Record for '''62.150.25.108''' you will need to sign-up for a free account.
We restrict how many whois records we give out to anonymous users per day. Sorry for the
precaution but we need to limit wandering robots for the protection of everyone. 

All other subsequent requests were the same. Are there other sites with similar services? Will a UNIX whois command provide the same services? Thanks in advance. --Stux 05:00, 16 November 2005 (UTC)

Oh perfect. — It's dot com

There's http://ws.arin.net/ but I don't think you can use that for decent info on addresses outside North America (can't hurt, though. In fact, I'd like to check some of the weirder addresses we've been getting against it.) --Jay (Talk) 05:03, 16 November 2005 (UTC)

I'm not getting an error. Perhaps it is just for specific anonymous IPs. — It's dot com 05:03, 16 November 2005 (UTC)

Oh, free account ... well if you're brave enough you can register (I went through about 3 sets before I got the message). I'll try ws.arin.net first. --Stux 05:05, 16 November 2005 (UTC)

But be forewarned: if the address isn't North American, you'll get a giant domain instead (for instance, I was double-checking the unusual domain of 221.212.177.97 and if gave me the totally-not-useful 221.0.0.0/8.) --Jay (Talk) 05:07, 16 November 2005 (UTC)

Same here, for the IP 62.142.224.55, i originally got 62.142.0.0/16 from whois (before it closed me down), and the ever so (not) useful 62.0.0.0/8 from arin. Most of these IP's are foreign (which would make sense for the attacker to use), so I think it'll be of little use in this data set. --Stux 05:10, 16 November 2005 (UTC)

Come to think of it, ARIN does (at least some of the time) link you over to the other superdomains' sites, like APNIC. (http://www.apnic.net) Check to see if such a link is given. --Jay (Talk) 05:12, 16 November 2005 (UTC)

APNIC's searches are still too general. For 62.150.25.108, I got 62.0.0.0 - 62.255.255.255 vs. 62.150.0.0/16 from whois.sc. I ended up registering in the end with a "spammable" email addy. That last IP is from Kuwait... who would'a thunk it? --Stux 05:17, 16 November 2005 (UTC)

APNIC probably wouldn't have applied to a Kuwaiti address, that was just an example. --Jay (Talk) 05:20, 16 November 2005 (UTC)

Specifically, that address was a RIPE address. --Jay (Talk) 05:21, 16 November 2005 (UTC)

[edit] IP's resulting in multiple ranges

Hi, given that I've been the one that's started every question in this page, how about I keep up with tradition? Ok, my question is regarding IP's that report more than one range for a given IP. For example, running this one through the mask calculator generates:

62.75.146.0/255.255.254.0	62.75.146.0/0.0.1.255	62.75.146.0/ 23
62.75.148.0/255.255.252.0	62.75.148.0/0.0.3.255	62.75.148.0/ 22
62.75.152.0/255.255.255.0	62.75.152.0/0.0.0.255	62.75.152.0/ 24

At first this was confusing, because of the 0-0 range problem I reported above. All other IP's I'd seen reported only two ranges, this one reported three. I'm pretty sure now that I reported my original ranges wrong, in this one I reported them instead as:

Lower Limit: 62.75.146.0, 62.75.148.0, 62.75.152.0 	
Upper Limit: 62.75.146.255, 62.75.148.255, 62.75.152.255 	 
IP Range: 62.75.146.0/ 23,62.75.148.0/ 22,62.75.152.0/ 24

I want to make sure I reported this correctly. (Or if you wanted the shorter version that would report 62.75.146.0 and 62.75.152.255 as the lower and upper limit respectively. --Stux 05:54, 16 November 2005 (UTC)

Yeah, I actually already tweaked that one. See section 8. We just need the lower and upper limit once, and then all three ranges with the slashes. — It's dot com 05:56, 16 November 2005 (UTC)

Cool thanks! I'm getting the hang of this... I fixed section 7 accordingly. --Stux 06:02, 16 November 2005 (UTC)

Side question: is the upper limit for first entry in section 25? It was taken from the whois information rather than the netmask result. --Stux 06:03, 16 November 2005 (UTC)

Yes, it's right. — It's dot com 06:07, 16 November 2005 (UTC)

Man I have a lot of mistakes I have to go back and fix. --Stux 06:28, 16 November 2005 (UTC)

[edit] Early returns

Early returns are in, and this is shaping up well. Thank you to everyone who is participating in this. We've got a ways to go, but it shouldn't take too long with all the TLC it's getting. Tomorrow or the next day I'll be writing a script that can help confirm the data (it will be designed to make sure the original IP is within the reported lower and upper limit and it will match the netmask against the limits). Okay, I am out of here for today, but, um, but first up is an hour of chanting. — It's dot com 06:26, 16 November 2005 (UTC)

[edit] Most of them are done

...thanks to my 31173 scripting skills, but they need a bit of checking - I spotted a couple where the whois page returned several IP ranges in different places, some of which the IP searched for wasn't in at all... I fixed the ones I saw but I think there's still probably some left. And there's still a few holes where my script didn't recognise the ip range in the result... but hopefully I've sped it up for you guys. --phlip ^T_C 11:49, 16 November 2005 (UTC)

If you're curious, I put the script here. --phlip ^T_C 11:58, 16 November 2005 (UTC)

Actually, I might end up doing a lot of that again... try to get more reliable answers out of it... --phlip ^T_C 12:09, 16 November 2005 (UTC)

OK, I reworked the script, it now asks me if there's two choices, so I know it's picking the right one. I've done page 3, and I'll do the others tomorrow (it's too late for me to do any more tonight). There's still a lot that need to be hand-done - most of that big hole in page 3 is ones where the whois page just gives the netmask, not the ip range, so the script doesn't pick it up. --phlip ^T_C 17:54, 16 November 2005 (UTC)

Good jaerb, Phlip. See you tomorrow. — It's dot com

I did a heap more on page 4, but that's all I'm gonna have the chance to do for a while, I think... I have stuff to do for the next couple of days. --phlip ^T_C 15:39, 17 November 2005 (UTC)

[edit] Proxys for dumbies

I am more than willing to help, but need a little bit more instruction, i read the FAQs, instructions, and this talk page. I went to the whois page for some of the links I don't know what I'm looking for. In the meantime, I will look at some of the ones already done to see if i can backsolve to see what to do, but i want to be sure before i start. I R F 16:54, 16 November 2005 (UTC)

Nevermind, I think I got it I R F 17:45, 16 November 2005 (UTC)

[edit] Contacting the Proxy Managers

You know, going through this i noticed that many of these whois services have an "contact if abuse" email address, would there be any way to put these addresses to good use? Especially since the attacker isn't just targeting out wiki but multiple wiki's concurrently. --Stux 21:38, 18 November 2005 (UTC)

[edit] Netmask calculator

I'm not able to get the netmask calculator to load right now; is anyone else having the same problem? Heimstern Läufer 05:34, 19 November 2005 (UTC)

I'm having the same problem. Hopefully it will clear up soon. — It's dot com 06:06, 19 November 2005 (UTC)

Not that it really matters since it's like oh ... 3:30am in the Eastern Seaboard... but the site's back up again. --Stux 08:26, 19 November 2005 (UTC)

Wow! Activity... I guess I was wrong! That was really quick set you added there Heimstern! It's looking good! As for me, I'm turning in. Good night all! --Stux 08:45, 19 November 2005 (UTC)

Well, I had actually already discovered that it was back up about five minutes before you made your post. Also, because I live in California, it was only a bit past midnight here, so it wasn't all that late for me. Heimstern Läufer 17:10, 19 November 2005 (UTC)

[edit] Another weird result

Any ideas how to do one like this, in which there's just one number with a slash? I think all of them that are left on page 3 are like this. Heimstern Läufer 06:28, 20 November 2005 (UTC)

That CIDR (200.21/16) corresponds to the range 200.21.0.0 - 200.21.255.255. — It's dot com 06:47, 20 November 2005 (UTC)

But how do I figure that out? There's a bunch of them that are like that, and I don't know how to get the ranges for them. Heimstern Läufer 06:49, 20 November 2005 (UTC)

Now that page 5 is done, all the remaining IP ranges are the kind that gives only the CIDR, not the range, and I still don't know how to do those. Therefore, if anyone could help me with that, it would be much appreciated. I can't really do any more work on the project until then. Thanks! Heimstern Läufer 03:41, 21 November 2005 (UTC)

Yeah i was wondering about that too, but I can figure it out given Dot com's description. I'll see if i can give you an idea on how to do those. (you'll need a calculator, or something) --Stux 03:46, 21 November 2005 (UTC)

Ok! it would definitely be too much to do by hand, but I was fortunate enough to find this calculator through some site in german. :) (I do not speak it). you just type in the ip address and slash thingy (# of bits it keeps) and it'll do the rest for you (leave the "moveto" field blank)! Unfortunately there seems to be a bug in that code: it always gives you the second ip in the range as the first, and the next to last ip as the last. For example:

This IP gives the range 200.252.2.128/26. The calculator gives you:

Address:   200.252.2.128         11001000.11111100.00000010.10 000000
Netmask:   255.255.255.192 = 26  11111111.11111111.11111111.11 000000
Wildcard:  0.0.0.63              00000000.00000000.00000000.00 111111
=>
Network:   200.252.2.128/26      11001000.11111100.00000010.10 000000 (Class C)
Broadcast: 200.252.2.191         11001000.11111100.00000010.10 111111
HostMin:   200.252.2.129         11001000.11111100.00000010.10 000001
HostMax:   200.252.2.190         11001000.11111100.00000010.10 111110
Hosts/Net: 62                    

We are looking at the HostMin and HostMax entries. If you look at the far right (the binary represenation of the addresses), the last 6 digits of hostmin end in 000001, and the last 6 digits of hostmax end in 111110. These should end in 000000 and 111111, respectively. This would correspond to the correct ip addresses 200.252.2.128 and 200.252.2.191 respectively. You can always check with the Netmask calculator we've been using by giving it what you think are the correct ranges and it should give you back the original 200.252.2.128/26. If you are off by one, you'll see a wild collection of ranges. You should only be off by one when using this calculator. You can see its correct entry here. Note: you may want to download the program and use it on your machine, since apparently the site seems to not be very reliable (it just went down a min ago).

Happy Huntin'!--Stux 04:07, 21 November 2005 (UTC)

Ok what about the ugly ones... My guess is that the largest number is what you want to report: 201.6.128/17 has the largest number. But 201.6.0/17 can also be a valid range. The other range is 201.6/16. This one i'm not too sure what to do about it. For 201.6/16 I think we'd type 201.6.0.0/16, and for 201.6.128/17 and 201.6.0/17 we'd probably type 201.6.128.0/17 and 201.6.0.0/17, respectively. But for those i'd need corroboration from the big guys :) --Stux 04:13, 21 November 2005 (UTC)

Ok, the more I think about it we'll probably have to just stick to the "inetnum:" field, in this case the rather large 201.6/16 (201.6.0.0/16). --Stux 04:15, 21 November 2005 (UTC)

In cases like 201.6.101.49, use the "inetnum" entry (201.6/16 in that case). Also, the CIDR/Netmask calculator tool found on dnsstuff.com might help some. See this lookup for an example. -- Tom 05:17, 21 November 2005 (UTC)

[edit] It's over! Or is it?

If I'm looking at this page correctly, are we now finished? Yay! I only ended up working on one of the sections, but I would have done more if I had the chance. This is an awesome site and I hate to see it getting ruined by vandals who have nothing better to do. ... By the way, did anyone actually get themselves a Danish after contributing? I would have, but there were none to be found in the house. I'll get mine at the store tomorrow. :) --Hyrulian 10:15, 21 November 2005 (UTC)

Don't look now, but I got some more IPs from the recent attack to the Fanstuff over the weekend. Some of them fall in the ranges we have already identified... and some of them don't. I will have a report soon. In the meantime, maybe someone can find a way to deal with this problem at the source... perhaps a baseball bat to the vandal's motherboard would do nicely. — It's dot com 15:50, 21 November 2005 (UTC)

Nope no danish, I don't have any in my humble abode. It sounds like a neat idea, but for me, it's not the right time yet (eating a danish). Hmmm... a baseball bat... or how about a sharpie!? Er... I mean a Mace! Yes a Mace! Ok I do have a question: I remember reading a poster that said that these attacks came from zombie machines and not open proxies -- do you guys know which one of the two this really is? Is there a way to tell? (I'm guessing yes, since if they're open proxies anybody can gain access to them.) He got more IPs?! Yay. O_o If I get the time I hope I can help by providing useful code. --Stux 16:09, 21 November 2005 (UTC)

I can have somebody whacked. Just give me a name or address. I R F 16:28, 21 November 2005 (UTC)

I said this in Da Basement, too, but these IPs in general show too many similarities to be random machines, in my opinion. Also, I believe some one person is driving these attacks, because they start and stop, and because whoever it is adapts to our countermeasures in specific ways. — It's dot com 17:33, 21 November 2005 (UTC)

Are we ever going to be able to re-open the wiki? Or are we doomed to eternal lockdown? Is it even legal, what this guy's doing? ⇔Thunderbird⇔ 18:33, 28 November 2005 (UTC)

My guess is, no, there must be some law this guy's breaking. If these machines are (some people suggest) zombie machines, then just that alone is breaking the law. However, in the (more likely) case where he's using proxies, he could still be breaking some laws by using DoS... but I am not sure. --Stux 19:42, 28 November 2005 (UTC)

Denial-of-Service attacks are flat-out illegal and can land the person responsible in jail. The only reason there aren't more convictions in cases like this is because they are very difficult to prove. —  KieferSkunk (talk) — 19:49, 28 November 2005 (UTC)

Heh; I just asked the same thing, Thunderbird, over at Talk:Main Page#NSMC is at it again. I don't like the idea of a permanently closed wiki (if that's what it becomes, he's at least won a partial victory); maybe it's time to start discussing whether there's a way to reopen before he's caught. —AbdiViklas 19:50, 28 November 2005 (UTC)

Just to point that out: I never allowed anybody to use my machine for a (D)DoS attack (and of course that will never ever happen), and my machine is not "hijacked" or a "zombie" or anything the like either. --84.56.184.243 23:14, 23 June 2006 (UTC) (Thiesi, admin of 194.95.224.201)

Thiesi, 194.95.224.201 has been blacklisted for a while because the Spam and Open Relay Blocking System reports that the machine is a "vulnerable/hacked server" and a "Likely Trojaned Machine, host running Korgo trojan". If you wish to request a delisting, they say to please do so through the their support system. -- Tom 22:31, 24 June 2006 (UTC)

Tom, I did that already, but the fact that SORBS listed my machine incorrectly as "trojaned" and "vulnerable/hacked server" doesn't affect my previous statement in any way. I just wanted to point out that there is no "trojan horse" or anything the like running on 194.95.224.201 - and never was. For some strange reason I don't like my IP address to be mentioned in such a context ... :-) --84.56.175.7 23:08, 27 June 2006 (UTC) (Thiesi)

Thiesi, and the fact that you say that your machine isn't compromised doesn't affect my previous statement in any way either. I'm sorry that the SORBS may not be top-notch, and I admit it has its issues, but that's what we have to go on. -- Tom 23:17, 27 June 2006 (UTC)