08 März 2007

How to get listed on the great chinese firewall?

My server is currently being "attacked" by a chinese computer at 220.173.30.198, what resolves to - you guessed right - China Telecom:

netname:      CHINANET-GX
descr:        CHINANET guangxi province network
descr:        China Telecom
descr:        No.31,jingrong street
descr:        Beijing 100032

It simply downloads tried to download (until I blocked it on IP protocol level) some of my open source packages multiple times per second, more than 100'000 times up to now. It's only from one single IP and therefore easy to block, and it generated only about 3 GB extra traffic so far, so it's not really a problem. Most likely a horribly badly written bot ...

Nevertheless: How to easily get onto the great chinese firewall? What do you have to publish on your server? Would easily prevent both spam and such annoyance... ;)

Why exactly these files?

I already observed something like this maybe a year ago, but expected a download manager then, that was in some way incompatible with the way CommunityServer handles downloads (other than when I'd simply put them directly into an IIS folder).

What caught my eye was the HTTP Range attribute (is this correct HTTP with the trailing dash?), and the (clearly faked) User-Agent of course. And why does it disallow caches?

GET /cs/files/folders/670/download.aspx HTTP/1.1
...
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Range: bytes=148681-
Pragma: no-cache
Cache-Control: no-cache
Connection: close

Does CommunityServer maybe have a problem with ranges and download resumes? Is this just a badly written spider/grabber that just hangs there because of some incompatibility? Well, I guess not ...

Comments

# Christoph Rüegg said:

This bloke is still trying to connect every few seconds, even though he didn't receive any response for his continuing TCP SYN packets for more than 10 hours ... badly written indeed.

Donnerstag, 8. März 2007 10:13