[amres-info] FW: (AS-1104) CREATED: denied access for ip addresses 147.91.1.41 - 147.91.1.45

Dusan Pajin dpajin at rcub.bg.ac.rs
Pon Svibanj 16 16:49:36 CEST 2011 

Poštovane kolege,

Danas tokom dana su stigle pritužbe sa više institucija AMRES-a da nije
moguće pristupiti sajtu www.ncbi.nlm.nih.gov koji koriste mnogi istraživači
i korisnici AMRES-a. 
Naime, pristup sajtu je blokiran od strane administratora ovog sajta za
opseg adresa naših proxy servera: 147.91.1.41 - 147.91.1.45. Razlog ove
blokade je napad koji je vršen preko naših proxy servera o čemu imate više
informacija u mejlovima ispod. Neki korisnik AMRES-a je sakupljao
informacije preko neke vrste skripta čime je ugrozio funkcionisanje sistema
samog sajta, a AMRES doveo na black listu i onemogućio ostalim korisnicima
pristup. 

Probaćemo da ustanovimo način da blokiramo malicioznog korisnika, kao i
eventualne buduće napade ovakve vrste i da uverimo administratore sajta da
se ovakvo ponašanje neće ponoviti, kako bi nam ponovo bio omogućen pristup. 

Molim vas da obavestite vaše korisnike o ovoj informaciju i da ih upozorite
da bilo kakve zloupotrebe mreže, resursa i napadi na druge korisnike AMRES-a
ili bilo koje korisnike Interneta mogu biti lako i brzo otkriveni kao i da
će biti sankcionisani. Najveća šteta od ovakvih postupaka je što mogu
uticati na sve korisnike AMRES-a kao u današnjem slučaju.

S poštovanjem,
Dušan Pajin
RCUB



Dušan Pajin, M.Sc.E.E. CCNP
Network engineer
	

Belgrade University Computer Center
Kumanovska b.b. 11000 Beograd
Serbia
Tel:                  +381-11-3031258
Fax:                  +381-11-3031259
Email:                dpajin at rcub.bg.ac.rs
Internet:             http://www.amres.ac.rs

-----Original Message-----
From: Mcginnis, Scott (NIH/NLM/NCBI) [E] [mailto:mcginnis at ncbi.nlm.nih.gov] 
Sent: Monday, May 16, 2011 3:06 PM
To: dpajin at rcub.bg.ac.rs
Cc: mreza at rcub.bg.ac.rs
Subject: FW: (AS-1104) CREATED: denied access for ip addresses 147.91.1.41 -
147.91.1.45

Dear Colleague:

The "Access Denied" error message is not meant to imply any maliciousness
on your part. In fact, because of the very nature of
computer networks, the IP address we blocked may effect a number of users
at your location. It is possible that someone naively, and
perhaps with good intentions, accessed our web sites at extremely high
rates. Because we see one IP address, blocking this will cause large
numbers of individuals to be affected.

The subnet 147.91.1.xxx was blocked because of an excessive rate of access
to the NCBI Entrez servers
(www.ncbi.nlm.nih.gov). Entrez is a public service and we need to make it
available to a large number of different
users. Single sites with very high rates of access can impact and cause
degradation of our performance. This site made
over 1 million requests at a rate at or exceeding one per second. When the
activity was blocked on on IP address the activity moved to another and
thus
We blocked the whole subnet. The user agent in all cases was java/1.6.0_12
an d the URL's requests were a hack of an internal cgi.


It's obviously unfair for any single site to monopolize the resource. We
blocked access from this site to the NCBI services because this type
of high rate of access can represent the running of scripts which, when
prolonged, can result in a "Denial of Service" situation.

If you have no personal knowledge of any scripts being run, the fastest
way to have your access restored is to bring this to the attention of
you local system administrators. We have included an example of this
activity below, which can be used to search your local logs and ensure
the script is terminated. Once this has been verified we will restore
access.

We apologize for any inconvenience but this type of scripting prevents us
from providing adequate service to all the users of the system.

Sincerely,

Scott McGinnis, M.S.
National Center for Biotechnology Information
National Institutes of Health
US Department of Health and Human Services
http://www.ncbi.nlm.nih.gov

[web log extract below]

147.91.1.41 - - [12/May/2011:23:39:14 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183983653
&dopt=fasta&sendto=on& HTTP/1.1" 200 582 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:15 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183983713
&dopt=fasta&sendto=on& HTTP/1.1" 200 181 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:15 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183983746
&dopt=fasta&sendto=on& HTTP/1.1" 200 182 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:16 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183983752
&dopt=fasta&sendto=on& HTTP/1.1" 200 995 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:17 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183984068
&dopt=fasta&sendto=on& HTTP/1.1" 200 376 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:18 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183984070
&dopt=fasta&sendto=on& HTTP/1.1" 200 175 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:19 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183984442
&dopt=fasta&sendto=on& HTTP/1.1" 200 310 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:20 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183984451
&dopt=fasta&sendto=on& HTTP/1.1" 200 618 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:20 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183984481
&dopt=fasta&sendto=on& HTTP/1.1" 200 317 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct
147.91.1.41 - - [12/May/2011:23:39:21 -0400] "www.ncbi.nlm.nih.gov" "GET
/sviewer/viewer.fcgi?tool=portal&db=nuccore&val=183984792
&dopt=fasta&sendto=on& HTTP/1.1" 200 627 0 "-" "Java/1.6.0_12"
"147.91.1.41" -pct






>
>
>
>From: Dusan Pajin [mailto:dpajin at rcub.bg.ac.rs]
>Sent: Monday, May 16, 2011 6:24 AM
>To: NLM/NCBI Info
>Cc: mreza at rcub.bg.ac.rs; 'Ivica Barisic'
>Subject: Denied access for IP addresses 147.91.1.41 - 147.91.1.45
>Dear Madam or Sir,
>I am writing you on behalf of the Serbian Academic Network AMRES. Our
>users have reported the problem with access to the website:
>http://www.ncbi.nlm.nih.gov<http://www.ncbi.nlm.nih.gov/>
>Access is blocked because of the "possible misuse" to our IP address
>147.91.1.41 - 147.91.1.45.
>These addresses are our Cisco Ironport Proxy servers and now all our
>users are unable to access your resources.
>If there is some kind of misuse from our proxies or attacks, please
>forward to us any kind of logs so we can block the malicious users.
>Maybe you have experienced increased number of connections because lot of
>users are accessing your website from these addresses.
>Thank you in advance!
>Kind regards
>Dusan Pajin
>AMRES
>
>
>
>Dušan Pajin, M.Sc.E.E. CCNP
>Network engineer
>[cid:image001.jpg at 01CC13C4.247D9730]<http://www.rcub.bg.ac.rs/>
>[cid:image002.jpg at 01CC13C4.247D9730] <http://www.amres.ac.rs/>
>Belgrade University Computer Center
>Kumanovska b.b. 11000 Beograd
>Serbia
>Tel:                   +381-11-3031258
>Fax:                  +381-11-3031259
>Email:               dpajin at rcub.bg.ac.rs<mailto:dpajin at rcub.bg.ac.rs>
><mailto:dpajin at rcub.bg.ac.yu>Internet:
>http://www.amres.ac.rs<http://www.rcub.bg.ac.rs/>
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.901 / Virus Database: 271.1.1/3640 - Release Date: 05/15/11
20:34:00

Više informacija o amres-info mailing listi