Blocking IP with no reverse?

Forum Moderators: phranque

Message Too Old, No Replies

Blocking IP with no reverse?

JorgeV

4:30 pm on Jan 13, 2020 (gmt 0)

Hello,

Since some days, I noticed an increase a traffic on all my sites, however analyzing closely my logs, I noticed a surge of hits from IP with no reverse DNS, and no referrer. What's your thoughts? These IP seems to come from anywhere in the World, and beside the lack of referrer the headers are perfectly fine. It's not DDos because the volumn is 3-4 per minutes. Files/CSS/JS seems to be downloaded witth he pages. These IP are only viewing one page, then do not return. (but that is the behavior of lot of the visitors of my sites too)

So I am considering simply blocking IP with no reverse. Good, bad idea?

not2easy

4:57 pm on Jan 13, 2020 (gmt 0)

I would look closer at the IP range. It could be cloud or wi-fi traffic and depending on the locale and device it may benon-ISP type traffic. Best to decide by log analysis rather than blanket blocking.

JorgeV

5:00 pm on Jan 13, 2020 (gmt 0)

It could be cloud or wi-fi traffic

Okay. However, I always though (certainly wrong), that all IP were supposed to have a reverse,.

JorgeV

5:15 pm on Jan 13, 2020 (gmt 0)

Ah, I found something ... All the suspect hits, with no reverse have a user agent claiming to be Chrome v40 to v50...

Considering that Chrome is at v79, can it sound "acceptable" compromise to block versions claiming to be that old, in the conjunction with no reverse ?

not2easy

6:08 pm on Jan 13, 2020 (gmt 0)

This depends too much on where to say offhand yes/no. If you commonly see older versions, people with older devices could be trying to use what they can obtain to visit. Rely on your own experience with the site in question. Your access logs can tell you much more about whether any visitor is unwanted. If their behavior is good, why block them for driving an old car?

lucy24

10:15 pm on Jan 13, 2020 (gmt 0)

So I am considering simply blocking IP with no reverse. Good, bad idea?

Ooh, ooh, I know the answer to this one!

:: waving hand excitedly ::

Answer: It depends. For starters, is performing an IP lookup for all requests less work for your server than sending out material to the handful of people who shouldn't have it? Is there a risk that they have further nefarious schemes? Is it possible to block them by other means?

I currently block four specific user-agents. Not version numbers but the entire, beginning-to-end UA string. Sure, of course you should block truly ancient browsers--but as not2easy points out, you need to make sure you're not concurrently blocking human users. There's a difference between Firefox/6 and Firefox/60.

JorgeV

5:47 pm on Jan 27, 2020 (gmt 0)

Hello-

I was inspecting deeper, and all those odd Chinese hits, are coming from IP ranges which belongs to the ASN : CHINANET-BACKBONE No.31,Jin-rong Street . However, I can't understand what this ASN is exactly. It sounds like a very generic gateway ?

Most do not have hostname, but, some, have reverse like : (xxx).broad.nt.js.dynamic.163data.com.cn

Does it tell something to you ?

lammert

7:00 pm on Jan 27, 2020 (gmt 0)

That is probably AS4134 [ipinfo.io], which is China Telecom. One of the largest ISPs in the world with currently 114 million IP addresses assigned and around 867 thousand domains hosted.