Anders Johansson wrote:
On Monday 16 February 2009 00:35:06 David C. Rankin wrote:
The IP 66.249.71.154 is google alright, but who knows if it is spoofed. I killed it with everything I could think of:
google crawls the net to index web servers so people can do web searches. If you want your site to show up when people do web searches, I suggest you stop blocking it
It's easy to spoof IP addresses in DoS attacks, because then it's one way traffic, it doesn't have to get a response. But it's much harder to do in a TCP connection, when the packets have to be responded to.
If you want to be sure, you can verify the MAC address of the packets. If it's the same as that of your default gateway, it comes from outside your provider's "local" LAN, and is almost guaranteed to be genuine.
But considering that it's something google does in order to maintain their database, I see no reason to suspect foul play.
Be paranoid when they start trying to execute CGI scripts or similar on your site. Not for simple reads.
Anders
That's what has me worried about this one. Even with my robot.txt configured to block crawling, not 5 minutes ago, I got another flood of googlebot requests that literally brought my internet connection to it's knees. I don't mind google indexing, but I would kind of like to be able to use my internet connection while they are doing it. Case-in-point, just five minutes ago while I was ssh'ed into the office, all of a sudden I noticed my cursor lagging far behind my typing (and I *don't* type fast at all). I check rbpllc.com - no traffic there, I check my home site 3111skyline.com - WTF?? The xterm I was running tcpdump in was just screaming lines of text. I just stopped the web server and -- thought for a minute. I can't imagine a legitimate bot causing enough traffic to drown your site out. I admit, I draw blanks trying to interpret whether what I'm seeing is legitimate or not. Whatever this bot is, it caused enough traffic to completely filled the scroll-buffer of my xterm in less than 1 second?? I have made the scroll buffer lines that I was able to catch available in hopes somebody can take a peek and let me know if it looks normal: http://www.3111skyline.com/download/webdev/dos/access_log-20090215 Also, I raised the firewall and added a custom rule to take all traffic from 66.249.0.0/24 and redirected to port 9345 (unassigned). Hopefully this works like an iptables drop. If not or if it will cause problems, somebody please let me know. Any knowledge you can give to help me sort through this will be appreciated. Thanks. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org