Richard Kilmer wrote:

>Some freaking dork at the following IP address(s) was continually
>downloading ruby182-14_RC8a.exe from here:
>
>200.98.63.142
>
>Then from here...
>
>200.98.136.108
>
>How is this for an example log:
>
>200.98.63.142 - - [23/Oct/2004:17:41:34 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:17:53:18 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:17:56:34 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:00:47 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:06:31 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:10:56 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:11:14 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:11:28 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:11:41 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:19:10 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 9190167
>200.98.63.142 - - [23/Oct/2004:18:19:12 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:19:18 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:23:16 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:23:55 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:26:32 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:26:36 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:27:46 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:28:32 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:29:58 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:31:51 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:32:07 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>
>And I mean continually.  Those IP address are now officially blocked.  If we
>find the perp who did this, they are going to be NAILED.  We realize that
>this is probably a DSL line or cable modem.  If someone wants to help track
>down who is doing this it would be great.  It seems to be coming from Brazil
>(www.uol.com.br)  RubyForge is a community resource and this screws the
>whole community.
>
>I can only assume this was a denial of service attack.  I will block the
>entire 200.98 subnet and every other subnet owned by uol.com.br if these
>things continue (which may negatively effect innocent people...and I don't
>want to do that).
>
>Best,
>
>Rich
>Team RubyForge
>
>  
>
I believe there are better ways than blacklisting so many users. 
RubyForge is a great place for browsing projects, I think it would be 
ill to prevent users to learn about RubyForge.

Maybe you could implement some sort of max downloads a day? or bandwidth 
usage a day?

David Ross
-- 
Hazzle free packages for Ruby?
RPA is available from http://www.rubyarchive.org/