Richard Kilmer wrote:

>Some freaking dork at the following IP address(s) was continually
>downloading ruby182-14_RC8a.exe from here:
>
>200.98.63.142
>
>Then from here...
>
>200.98.136.108
>
>How is this for an example log:
>
>200.98.63.142 - - [23/Oct/2004:17:41:34 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:17:53:18 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:17:56:34 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:00:47 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:06:31 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:10:56 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:11:14 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:11:28 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:11:41 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:19:10 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 9190167
>200.98.63.142 - - [23/Oct/2004:18:19:12 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:19:18 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:23:16 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:23:55 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:26:32 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:26:36 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:27:46 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:28:32 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:29:58 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:31:51 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>200.98.63.142 - - [23/Oct/2004:18:32:07 -0400] "GET
>/frs/download.php/1205/ruby182-14_RC8a.exe HTTP/1.1" 200 11613136
>
>And I mean continually.  Those IP address are now officially blocked.  If we
>find the perp who did this, they are going to be NAILED.  We realize that
>this is probably a DSL line or cable modem.  If someone wants to help track
>down who is doing this it would be great.  It seems to be coming from Brazil
>(www.uol.com.br)  RubyForge is a community resource and this screws the
>whole community.
>
>I can only assume this was a denial of service attack.  I will block the
>entire 200.98 subnet and every other subnet owned by uol.com.br if these
>things continue (which may negatively effect innocent people...and I don't
>want to do that).
>
>Best,
>
>Rich
>Team RubyForge
>
>
>
>
>  
>
Solution, check RBL lists..
http://rbls.org/?q=200.98.136.108

implement to check these I use as well..
                   opm.blitzed.org,  /* Remeber this is a hijacked-IP 
range domain, so its your choice to use. Questions, ask me. */
                   list.dsbl.org,
                   bl.spamcop.net,
                   sbl-xbl.spamhaus.org,
                   dnsbl.njabl.org,
                   http.dnsbl.sorbs.net,
                   socks.dnsbl.sorbs.net,
                   misc.dnsbl.sorbs.net,
                   smtp.dnsbl.sorbs.net,
                   web.dnsbl.sorbs.net,
                   spam.dnsbl.sorbs.net,  
                   block.dnsbl.sorbs.net,
                   zombie.dnsbl.sorbs.net,
                   rhsbl.sorbs.net,
                   dnsbl.ahbl.org

You were attacked, yes. Solution is to implement RBLs. This is what to 
do if you are going to be under attack. Some people don't care like big 
sites. I know Rubyforge isn't HUGE and has  100000 Terrabytes of 
transfer a month, so its best to implement RBL


Thanks have a nice day, for the solution.

David Ross
-- 
Hazzle free packages for Ruby?
RPA is available from http://www.rubyarchive.org/