Mobile app version of vmapp.org
Login or Join
Shelton105

: Blocking IP Range for a Domain I am getting lots of click bombs from xlhost.com. Here is a list of IP addresses that I collected from access_log. 209.51.205.58 209.51.197.114 173.45.90.90 207.182.146.34

@Shelton105

Posted in: #Firewall #IpAddress

I am getting lots of click bombs from xlhost.com.

Here is a list of IP addresses that I collected from access_log.

209.51.205.58
209.51.197.114
173.45.90.90
207.182.146.34
209.51.199.34
209.51.197.58
209.51.197.42
209.51.197.242
209.51.197.234
209.51.197.218
209.51.197.210
209.190.96.90
209.190.96.130
209.190.6.194
209.190.54.98
209.190.54.90
209.190.54.82
209.190.54.170
209.190.54.162
209.190.54.154
209.190.54.146
209.190.54.138
209.190.54.130
209.190.54.114
209.190.33.2
209.190.31.194
206.222.7.218
206.222.7.202
206.222.7.194
206.222.7.130
206.222.7.106
206.222.6.58
206.222.6.242
206.222.6.234
206.222.5.242
206.222.5.202
206.222.5.146
173.45.101.42
173.45.101.18
173.45.101.10
173.244.160.74
64.79.94.10
209.51.197.90
209.51.197.26
209.190.6.18
206.222.19.106
173.45.101.146
173.45.101.106
209.51.192.226
209.190.95.2
173.45.101.58
173.45.101.114
173.244.168.170
209.51.197.50
209.51.205.130
209.51.205.106
209.190.6.10
207.182.132.154
206.222.19.114
206.222.16.74
173.45.81.90
173.45.81.66
173.45.81.50
173.45.81.26
173.45.81.18
173.45.81.122
173.45.81.114
173.244.171.74
173.244.170.58
173.244.170.186
173.244.170.178
173.244.169.98
173.244.169.218
173.244.169.194
173.244.169.170
173.244.168.234
173.244.167.250
173.244.167.242
173.244.167.218
173.244.167.210
173.244.167.194
173.244.167.170
173.244.167.162


But manually blocking all IP addresses is difficult. How can I block xlhost.com more efficiently? I thought to block IP range of xlhost.com but how can I determine the IP range of xlhost.com?

Result of whois xlhost.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to www.internic.net for detailed information.

Domain Name: XLHOST.COM
Registrar: NETWORK SOLUTIONS, LLC.
Sponsoring Registrar IANA ID: 2
Whois Server: whois.networksolutions.com
Referral URL: networksolutions.com Name Server: DNS2.EE.NET
Name Server: DNS3.EE.NET
Status: clientTransferProhibited www.icann.org/epp#clientTransferProhibited Updated Date: 05-jan-2016
Creation Date: 05-jan-2000
Expiration Date: 05-jan-2026

>>> Last update of whois database: Fri, 08 Apr 2016 06:40:17 GMT <<<

For more information on Whois status codes, please visit icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Domain Name: XLHOST.COM
Registry Domain ID: 16620358_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: networksolutions.com Updated Date: 2016-01-05T20:53:14Z
Creation Date: 2000-01-05T18:46:09Z
Registrar Registration Expiration Date: 2026-01-05T05:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller:
Domain Status: clientTransferProhibited www.icann.org/epp#clientTransferProhibited Registry Registrant ID:
Registrant Name: eNET Inc.
Registrant Organization: eNET Inc.
Registrant Street: 3000 E. Dublin Granville Road
Registrant City: Columbus
Registrant State/Province: OH
Registrant Postal Code: 43231
Registrant Country: US
Registrant Phone: +1.9999999999
Registrant Phone Ext:
Registrant Fax: +1.9999999999
Registrant Fax Ext:
Registrant Email: ski@EE.NET
Registry Admin ID:
Admin Name: Kharazi, Saeed
Admin Organization: eNET Inc.
Admin Street: 3000 East Dublin-Granville Road
Admin City: Columbus
Admin State/Province: OH
Admin Postal Code: 43231
Admin Country: US
Admin Phone: +1.6147945971
Admin Phone Ext:
Admin Fax: +1.6147949016
Admin Fax Ext:
Admin Email: ski@EE.NET
Registry Tech ID:
Tech Name: Kharazi, Saeed
Tech Organization: eNET Inc.
Tech Street: 3000 East Dublin-Granville Road
Tech City: Columbus
Tech State/Province: OH
Tech Postal Code: 43231
Tech Country: US
Tech Phone: +1.6147945971
Tech Phone Ext:
Tech Fax: +1.6147949016
Tech Fax Ext:
Tech Email: ski@EE.NET
Name Server: DNS2.EE.NET
Name Server: DNS3.EE.NET
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: wdprs.internic.net/ >>> Last update of whois database: Fri, 08 Apr 2016 06:40:17 GMT <<<

The data in Networksolutions.com's WHOIS database is provided to you by
Networksolutions.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Networksolutions.com makes this information available "as is," and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Networksolutions.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Networksolutions.com.
Networksolutions.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Shelton105

2 Comments

Sorted by latest first Latest Oldest Best

 

@Berumen354

Additionally XLHost is a U.S registered company with an abuse report email that sell dedicated servers. It is quite possible they are unaware that their services are being used for click bombing. Do go ahead and block the range as it is unlikely a genuine website user will be accessing the site through a hosted dedicated server, but also try emailing the abuse email which can be found at www.xlhost.com/contact/ and let them know that their servers are being used in a click bombing attack on your site. If they follow industry best practices the click bombing should stop rather quickly when the servers are taken offline by the host.

10% popularity Vote Up Vote Down


 

@Cody1181609

Since XLHOST owns their own IP space you can look up the IP blocks they own using the ARIN whois lookup. There could be other IP blocks that are not listed here in which they are using (such as if they were utilizing IP space in which they do not directly own and are just leasing from other providers) but it looks like they are all listed.

XLHOST Netblocks on ARIN site

To find this information I did the following:

From command line i did a whois on 1 of the IPs you mentioned

whois 209.51.205.58


which gave the following results (among other info)

NetRange: 209.51.192.0 - 209.51.223.255
CIDR: 209.51.192.0/19
NetName: ENETNAP
NetHandle: NET-209-51-192-0-1
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: eNET Inc. (ENET)
RegDate: 1997-05-07
Updated: 2008-07-10
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Ref: whois.arin.net/rest/net/NET-209-51-192-0-1

From here I just went to the Ref link (You could lookup the "NetName" on the ARIN site as well). From that page i clicked on "Organization" and then "Related Networks".



Once you have all the netblocks you could use iptables to block these addresses by blocking the subnets or IP ranges.

To block an entire subnet (both inbound and outbound) enter the following in command line. Where "1.1.1.0/24" is the subnet you want to block.

iptables -A INPUT -s 1.1.1.0/24 -j DROP
iptables -A OUTPUT -s 1.1.1.0/24 -j DROP


To block a range of IPs within a subnet use the following:

iptables -I INPUT -m iprange --src-range 1.1.1.10-1.1.1.20 -j DROP
iptables -I OUTPUT -m iprange --src-range 1.1.1.10-1.1.1.20 -j DROP


Make sure to save your rules with service iptables save

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme