99.84.178.95 and 99.84.178.71 are just two of a number of recent server IPs, either Google, AWS or AWS using Cloudfront servers which are causing delays or denial of service/access to web pages. With people using different methods to block advertising it seems the advertisers or the various cloud services who host the advertisers are doing whatever they can to force users into compliance or to plant either cookies or some kind of a tag.
If the tag or cookies don't get set the site does not open or fully open, in spite of the site's non participation with the advertisers.
There also appears to be a lot of use of older 80 port IPs, defunct sites, which are being used as cover for any number of suspect conditions (tags, fingerprinting, scraping).
With the clouds set up to hide the actual ID of the advertisers or users, ID shown as the cloud service and not the actual user/advertiser it leaves little to do other than block the entire server. Depending on whether the cloud service rotates the advertisers this can cause issues with normally benign, non invasive use and access.
There is some attitude most of the hidden sites behind the cloud are benign and need no ID but it seems Pollyanna like to make that assumption.
Just my opinion but the cloud services need to be more forthcoming and held more accountable to these abuses, whether by their own actions or the actions of their subscribers/accounts.
EXAMPLE - when opening a thread in the 'zine you should normally see the servers for Stanford.
For most of the session there should be little or no other servers showing or attempting to load or access a system.
At the same time when these server ips show up the load of the site is hindered and clearing of the cache, history etc is necessary to have the page fully load though the source of the page with gstatic and google are unblocked.
Bogus AWS/cloudfront servers causing DoS
-
Grumpus
- Posts: 13246
- Joined: October 19th, 2007, 4:23 am
- Location: ... Da' Swamp
Bogus AWS/cloudfront servers causing DoS
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
-
Grumpus
- Posts: 13246
- Joined: October 19th, 2007, 4:23 am
- Location: ... Da' Swamp
Re: Bogus AWS/cloudfront servers causing DoS
Add this IP to the list of fraudulent IPs not dealt with by Amazon because they're not competant.
44.238.3.246 (ec2-44-238-3-246.us-west-2.compute.amazonaws.com) 21 spam hosts. the 44.238.x.x range just started not long ago.
The problem is this may not be the definitive information as the same lousy location in the middle of "Lake Chaney" Northwest of Wichita Kansas as any number of other similar Amazon aws locations.
This one is particularly egregious as it by-passes software firewalls, some ad blockers and uses 443 port.
Also watch out for new ips in the 150.222.x.x range as these are also Amazon but not configured yet. Appear to be foreign.
44.238.3.246 (ec2-44-238-3-246.us-west-2.compute.amazonaws.com) 21 spam hosts. the 44.238.x.x range just started not long ago.
The problem is this may not be the definitive information as the same lousy location in the middle of "Lake Chaney" Northwest of Wichita Kansas as any number of other similar Amazon aws locations.
This one is particularly egregious as it by-passes software firewalls, some ad blockers and uses 443 port.
Also watch out for new ips in the 150.222.x.x range as these are also Amazon but not configured yet. Appear to be foreign.
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
-
LIMPET235
- Moderator
- Posts: 39952
- Joined: October 19th, 2007, 1:53 am
- Location: The South Coast of N.S.W. Oz.
Re: Bogus AWS/cloudfront servers causing DoS
Hi elGrumpo,
You may want to take a look/listen to Steve Gibson's latest vodcast/podcast.
His site is here...
> https://www.grc.com/securitynow.htm
Episode #808 | 02 Mar 2021 | 109 min.
The interesting story re; "CNAME Collusion" starts at about 1 hour 20 Mins in.
Might explain things a little more.
If you want to watch the video, then go to Leo's TWiT site & D/L the YouTube file.
Options are at the bottom.
TWiT, Security Now #808 > https://twit.tv/shows/security-now/epis ... tart=false
Stay safe.
You may want to take a look/listen to Steve Gibson's latest vodcast/podcast.
His site is here...
> https://www.grc.com/securitynow.htm
Episode #808 | 02 Mar 2021 | 109 min.
The interesting story re; "CNAME Collusion" starts at about 1 hour 20 Mins in.
Might explain things a little more.
If you want to watch the video, then go to Leo's TWiT site & D/L the YouTube file.
Options are at the bottom.
TWiT, Security Now #808 > https://twit.tv/shows/security-now/epis ... tart=false
Stay safe.
[Ancient Amateur Astronomer.]
Win-10-H/64 bit/500G SSD/16 Gig Ram/450Watt PSU/350WattUPS/Firefox-115.0.2/T-bird-115.3.2./SnagIt-v10.0.1/MWP-7.12.125.
(Always choose the "Custom" Install.)
Win-10-H/64 bit/500G SSD/16 Gig Ram/450Watt PSU/350WattUPS/Firefox-115.0.2/T-bird-115.3.2./SnagIt-v10.0.1/MWP-7.12.125.
(Always choose the "Custom" Install.)
-
Grumpus
- Posts: 13246
- Joined: October 19th, 2007, 4:23 am
- Location: ... Da' Swamp
Re: Bogus AWS/cloudfront servers causing DoS
Thanks for that. Bookmarked.
Just found an unauthorized install of NTP (all of which had been meticulously removed) and 123 port closed . . .seeming to function.
which was making calls to canonical time servers, BUT. . . it was some form of intrusion attempt having nothing to do with network time near as I can tell.
Also Edgecast located in Virginia can't seem to get the message to go away, this in on old MCI dba Verizon (various suffixes) IPs
Some of this has been diminished by blocking the IPs but the main indicator is the manner in which I connect which turns red instead of green or blue for the overload.
Also finding IPs in the kernel logs which belong to the 35.x.x.x and 72.x.x.x having no business hiding from the real time IP monitor.
On shut down logs are searched for issues and adjusted prior to a reconnect.
Most egregious was before opening Firefox having IPs in the 52.x.x.x and 54.x.x.x assist the 150.x.x.x in a redirect to Digital Ocean.
Some of this connected to a weasel who lives at 20455 Old Grey Place, Ashburn, VA 20147 (either renting as house is for sale or owns house and is selling)
But again maybe bogus Lon & Lat. Flyover indicates hidden from helicopters.
Just found an unauthorized install of NTP (all of which had been meticulously removed) and 123 port closed . . .seeming to function.
which was making calls to canonical time servers, BUT. . . it was some form of intrusion attempt having nothing to do with network time near as I can tell.
Also Edgecast located in Virginia can't seem to get the message to go away, this in on old MCI dba Verizon (various suffixes) IPs
Some of this has been diminished by blocking the IPs but the main indicator is the manner in which I connect which turns red instead of green or blue for the overload.
Also finding IPs in the kernel logs which belong to the 35.x.x.x and 72.x.x.x having no business hiding from the real time IP monitor.
On shut down logs are searched for issues and adjusted prior to a reconnect.
Most egregious was before opening Firefox having IPs in the 52.x.x.x and 54.x.x.x assist the 150.x.x.x in a redirect to Digital Ocean.
Some of this connected to a weasel who lives at 20455 Old Grey Place, Ashburn, VA 20147 (either renting as house is for sale or owns house and is selling)
But again maybe bogus Lon & Lat. Flyover indicates hidden from helicopters.
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
-
Grumpus
- Posts: 13246
- Joined: October 19th, 2007, 4:23 am
- Location: ... Da' Swamp
Re: Bogus AWS/cloudfront servers causing DoS
Broken out to another thread
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you