Date: Sat, 29 Mar 2003 15:41:51 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Annoying RedAlert.com activity Message-ID: <20030329154151.GA33617@happy-idiot-talk.infracaninophi> In-Reply-To: <3.0.5.32.20030329082518.0142ed68@sage-one.net> References: <3.0.5.32.20030329082518.0142ed68@sage-one.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Mar 29, 2003 at 08:25:18AM -0600, Jack L. Stone wrote:
> This is semi-OT, but is a FBSD firewall question.
>=20
> Every day, I see this in the logs:
> 65.194.51.136 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.133 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.131 - - [29/Mar/2003:00:26:49 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.135 - - [29/Mar/2003:00:26:50 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.132 - - [29/Mar/2003:00:26:52 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.134 - - [29/Mar/2003:00:26:55 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.155 - - [29/Mar/2003:00:28:24 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.156 - - [29/Mar/2003:00:29:14 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.137 - - [29/Mar/2003:00:30:45 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.154 - - [29/Mar/2003:00:34:13 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.152 - - [29/Mar/2003:00:34:21 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.151 - - [29/Mar/2003:00:34:50 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
> 65.194.51.165 - - [29/Mar/2003:00:34:52 -0600] "HEAD / HTTP/1.0" 200 0 "-"
> "RedAlert.com"
>=20
> Question:
> At the "redalert.com" web site, they claim to be a server monitoring
> service, but I've never signed up for the service and don't want this dai=
ly
> waste of BW that appears on all of my web servers. It is annoying and I
> would like to block their network via the firewall.
>=20
> Based on the above, what would be the best choice of how to block the net=
work:
> 65.194.51.?/?
>=20
> Thanks for any suggestions....
whois(1) is your friend. Looking up one of those IP numbers returns:
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
Keynotes systems UU-65-194-51 (NET-65-194-51-0-1)
65.194.51.0 - 65.194.51.255
=20
# ARIN WHOIS database, last updated 2003-03-28 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
Looking up redalert.com returns:
Registrant:
Internet Resources Group (REDALERT-DOM)
2100 10-th Street Suite 500
Plano, TX 75074
US
=20
Domain Name: REDALERT.COM
=20
Administrative Contact:
nic admin (NA596-ORG) nicadmin@KEYNOTE.COM
Keynote Systems Inc.
777 Mariners Island Boulevard
San Mateo, CA 94404
US
(650) 403-3400
Fax- - (650) 522-1099
Technical Contact:
Dawson, Shaun (ELIKKIWCMI) shaun@REDALERT.COM
redalert.com
2100 10-th Street Suite 500
Plano, TX 75074
US
9725787406 9724226366
=20
Record expires on 20-Dec-2005.
Record created on 21-Dec-1994.
Database last updated on 29-Mar-2003 10:25:10 EST.
=20
Domain servers in listed order:
=20
NS1.REDALERT.COM 65.194.51.16
NS2.REDALERT.COM 209.102.202.17
=20
and a quick check of the http://www.keynote.com/ web site indicates
that "RedAlert" is a particular service of the Keynote company. So if
you really want to block them, you most effective filter setting would
be:
65.194.51.0/24
However, they do claim to test from three different net blocks so you
may have to ferret out their other net blocks in a similar manner.
Note that the RedAlert service appears to be quite reputable, so I'd
suggest that you try contacting their support desk and asking them to
desist before doing anything else. It's quite possible someone is
paying for their monitoring service but has managed to mistype their
network address and would be quite glad of finding out their mistake.
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--RnlQjJ0d97Da+TV1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+hb6/dtESqEQa7a0RAsU4AJ4l5U8Um1tIBBiX5bd1KFZp3bOwOgCgkjhx
OQ6moKV0EglIRgOuhKTMaUo=
=5c1D
-----END PGP SIGNATURE-----
--RnlQjJ0d97Da+TV1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030329154151.GA33617>