gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76793 Posts in 13502 Topics by 1651 Members - Latest Member: Arnold99 November 23, 2024, 08:24:18 am
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  Think Tank  |  adding a new range to Blocklist?
gfx
gfxgfx
 

Author Topic: adding a new range to Blocklist?  (Read 3760 times)

0 Members and 1 Guest are viewing this topic.

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
adding a new range to Blocklist?
« on: November 30, 2008, 06:28:41 pm »
Hello,

I am not really sure if any normal users would be in this range but i have been seeying this range hit my winmx for over a year now and it hits every second and disconnects every second 24/7 (and i am quite sure more users have this problem although most do not notice because they only watch the transfer screen connections.
Watching through tcp-view however makes them very visible!

I did quite alot of investigating on this and if needed i must have some more info on this traffic.
But for now i 'll just tell you it is inarpa.net traffic (IP connecting both in reverse and normal)

The range I am refering to is 72.172.88.0 upto 72.172.91.255

I myself am capable of blocking it now so i am not asking this for myself but for other maybe unaware winmx users!

If more info is wanted I think I can dig up some... but in short they seem to be trying to send text messages (and failing) over and over and over etc etc ...lol

Greetings, ..Joshua203

Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: adding a new range to Blocklist?
« Reply #1 on: November 30, 2008, 11:07:29 pm »
Of late many of the flooding companies have scaled down their efforts considerebly as you can see from the current blocklist here,

https://www.winmxworld.com/files/block_list.txt

I,m sure by the time you read this the anti flooding team will be investigating the IP range and perhaps extending the range they already have blocked to meet any threat.

One thing to bear in mind is that the patch will force a disconnection if the IP is that of a network attacker but they will try many times to reconnect and for a long time, this may be the activity your actually seeing


Offline Me Here

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
  • We came, We Saw, We definitely Kicked Ass!
Re: adding a new range to Blocklist?
« Reply #2 on: December 01, 2008, 12:46:29 am »
Hi Joshua,

If its possible for you to do so for me could I possibly have the logs via email of the  TCP viewer so that I can see the actual IPs that are causing you the greif.

Thanks just send them to
me_here@winmxworld.com

~regards the blocking team (ive just always wanted to say that)   :lol:

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #3 on: December 01, 2008, 01:23:43 am »
eyy you both  :)

- to ghost: i was telling you it is happening for more than a year and this is actually an understatement, also i said it's at least one a second that connects and disconnects 24/7.
It 's probably quite harmless because my own investigation led me to the fact that they are just textmessages that cannot connect however the puter does have to deal with them all day long day in day out, year in year out.. so it would be nice if it went away for everyone right?

- to the Lady Ray there, long time no see again  :blindfold: i hope you are doing fine.
I kinda must admit i have no logs (stupid me) but...... i will shut my own blocklist for the night and hope they are still there for log creation...i will let you know ASAP!!!

Greetings, ...Joshua203
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #4 on: December 01, 2008, 02:05:38 am »
I might as well waited on posting because i got hit immediately!

But can you give me a hint on how to log that shit?
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #5 on: December 01, 2008, 02:06:27 am »
i mean without having to close my running mx
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #6 on: December 01, 2008, 02:23:41 am »
Quote from: Me_Here
~regards the blocking team (ive just always wanted to say that)   
what team ...I thought it was just you :P

Sorry for all the dubble posts but i still miss my edit  :butt: ~on (button :crazy:)

Edit: typo removal by myself :thumbs: (after the the next few messages ....i must have been blind again :nerd:)
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline Me Here

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
  • We came, We Saw, We definitely Kicked Ass!
Re: adding a new range to Blocklist?
« Reply #7 on: December 01, 2008, 03:26:17 am »
LoL.
Joshua most tcp viewers I believe have a function to save a .log file of the session, if yours doesnt thats ok i'll see what i can find on xnetstat.
and no there is a 'team' not just me  :D

There should be a 'modify' button in most areas of the forum however there were a few areas that are for discussion that we left uneditable. News and this area sorry :S

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #8 on: December 01, 2008, 04:48:29 am »
I m awake along time now so excuse me if i start talking nonsence, i m tired and still cannot sleep but that aside

No my viewer just has the save button so this gives me no log but just what us there at that second the file is saved ( i'ld love to have a better one though, any advice on that?)

i can post some more info maybe it helps:

some resolved adresses from saved tcpview:

WinMX.exe:3116   TCP      80.89.172.72.in-addr.arpa:2782   FIN_WAIT2
WinMX.exe:2904   TCP      79.89.172.72.in-addr.arpa:3037   FIN_WAIT1
WinMX.exe:2904   TCP      25.89.172.72.in-addr.arpa:3550   SYN_RCVD   
WinMX.exe:2904   TCP      107.91.172.72.in-addr.arpa:2942   SYN_RCVD   

uresolved:

WinMX.exe:3116   TCP   my ip:6699   72.172.89.33:2379   SYN_RCVD
WinMX.exe:2904   TCP   my ip:6699   72.172.89.79:2004   SYN_RCVD   

a lookup:
33.89.172.72
DoD Network Information Center
United States

72.172.89.33
33.89.172.72.in-addr.arpa
Net2EZ
United States

ports vary for these connections and the ip is always in the range i mentioned earlier

I hope this helps alittle

it s just bogus traffic really (in my humbe opinion) and blocking the range did make my winmx look alot more at ease ;)

Off to bed now ..i can try some shut eye for the next 2 hours and hope i finally can Zzzleep  :ugly:

Greetings again  :kiss:
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline Me Here

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
  • We came, We Saw, We definitely Kicked Ass!
Re: adding a new range to Blocklist?
« Reply #9 on: December 01, 2008, 05:36:34 pm »
hey Joshua,

Ive had a look over what you've posted and frankly can see no new evidence to add any new ips to the list.  As the IPs that you show here are being blocked by the blocklist already.
MediaDefender       :72.172.89.0-72.172.89.255
MediaDefender       :72.172.91.94-72.172.91.116

As mentioned the nature of the patch is to 'tie' up connection of the offenders by using a closed wait and the SYN_RCVD your getting I can only assume is down to them being handled by the firewall first maybe, any way the idea behind the closed wait rather then just disconnecting them immediately is to tie them up longer and limit the amount of traffic trying to access you. Something that has actually been in practice since KM first deployed the first blocking patch in 2006.

I use XNetstat when I do my checks for flooders simply because recently they were caught using an old macrovision ip range trying to connect, but not flooding any actual files from it, that activity has ceased months ago but the ip range is in place still.  From that I often see the attempts to connect which look identical to what you have posted below.
When you block this range in your firewall thats well and good, obviously then WinMX wont have to handle the traffic but it will also increase the amount of traffic you have to deal with as the firewall isnt built to delay the disconnect in a manner that leaves them hanging and slows the attempts down (which incidentally also uses far more system resources then WinMX will doing the same job)

Hope this made sense, post any other traffic (outside the range already blocked) if you catch any, and we'll have another look at it, but for now I'm confident that the blocklist is doing exactly as it should, we are always happy to investigate anything any one finds odd :)


Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #10 on: December 02, 2008, 05:27:52 am »
Makes perfect sence Me_Here

I just thought blocking in my firewall would be better because the traffic would stop it before entering my system or sumthing like that and winmx not having to deal with them anymore looked quite nice in the tcp-viewer.
Your remark about that the firewall uses system resources too gave me something to think about  :yes:

I thought i was saying something intelligent for once but why i did not have a close look at what is actually allready in the blocklist still is a mystory to me  :oops:

thanks for making me understand this a little better

Greetings, ..Joshua203
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #11 on: May 02, 2009, 07:58:23 pm »
Hi again

Today i added 2 new ip ranges to my router firewall for suspicious winmx related traffic, maybe worth looking into?

174.136.239.*
174.136.243.*

thnx, greetings, ..Joshua203
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

Offline Forested665

  • Forum Member
  • Linux:2003 FreeBSD:2004 Debian/BSD developer:2006
Re: adding a new range to Blocklist?
« Reply #12 on: May 02, 2009, 11:45:16 pm »
Joshua im sure it would help them if you posted the reason why they were blocked and if you know who they are.

I seen that you asked last year for a tcp veiwer. for windows i use active ports
(free here: http://download.cnet.com/Active-Ports/3000-2651_4-29653.html?tag=mncol)

BSD -  The Daemons Are No Longer Just Inside My Head.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: adding a new range to Blocklist?
« Reply #13 on: May 03, 2009, 12:00:24 am »
The IP range you list was added to the blocklist last night Joshua, they are it seems replacing the media defender 72.  IP range that has been about for the last few years with this new one, cretinous but predictable  :lol:

Anyone finding these IP's connecting to them is advised to restart their MX to allow the patch to update its block list if it has not done so already.

Thanks for staying alert Joshua  8)

Offline Joshua203

  • MX Hosts
  • *****
  • *****
  • www.DutchaGoGo.com
    • www.DutchaGoGo.com and a few more like WinMX.ComXa.com and WinMX.ExoFire.net
Re: adding a new range to Blocklist?
« Reply #14 on: May 03, 2009, 03:21:46 am »
i was messing about as usual when i noticed this headless chicken traffic  :canadian: , i might still come with a flood question but i need to see how the blocklist deals with this first i guess

thnx GS ans thnx Forested for the link, i ll check it out (this was just noticed in TCPview again ;-) )
Windows 7 Ultimate 64bit Edition, CPU Intel64 Family 6 Model 26 Stepping 5 Genuine Intel Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, RAM: 12GB

WebSite: www.DutchaGoGo.com

WinMX World :: Forum  |  Discussion  |  Think Tank  |  adding a new range to Blocklist?
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.01 seconds with 21 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!