Knowledgebase
Block a bot by Netmask (hmm, simple mistake?)
| Posted by Rebies, 01-08-2008, 01:52 PM | | Okay, I have a Juniper firewall. I'm seeing a ton of traffic from the Twiceler bot in the range of 100,000 hits a day. Luckily they've more recently put up a list of IP addresses their bots use at:
http://www.cuill.com/twiceler/robot.html
So, I'm blocking all of these now. However I think it's a simple Netmask issue I'm having. I'm blocking all ports from
208.36.144.0/24
38.99.13.0/24
38.99.44.0/24
64.1.215.0/24
However, I am still seeing the bot in server log files. Could it be that I should not be specifying .0 at the end, but instead .1? Like this in the policy?
64.1.215.1/24
Thanks. I think this is simple and that is my mistake. Would appreciate input before making the change to find out that is not the problem tomorrow.
|
| Posted by bitserve, 01-09-2008, 12:47 AM | | I'd say that is the proper way to represent those networks. I don't know all models of juniper firewalls, but I'd guess that's not the issue. You may want to try blocking an IP address that you control to see if that rule works. Maybe you're creating your rules in the wrong zone or on the wrong interface. Also, try enabling loggng for your rules.
|
| Posted by david510, 01-09-2008, 04:01 AM | | If you need to block the IPs from 208.36.144.0 to 208.36.144.254, you will need to block the following subnets.
208.36.144.0/25
208.36.144.128/27
208.36.144.128/28
208.36.144.128/29
208.36.144.128/30
208.36.144.128/31
|
| Posted by Rebies, 01-09-2008, 12:13 PM | | bitserve.. thanks for confirmation of this. I now think it was this...
I first was allowing (in pseudo firewall speak)
From any source
To Internal_IP
Allow HTTP, HTTPS
Then, my last policy was
From Twiceler IP Ranges
To Any
Block All Services
So possibly I was explicitly allowing the bot before denying it.
|
|
 Add to Favourites
 Print this Article
|
Also Read
