HRWiki talk:ProxyBlocks

From Homestar Runner Wiki

Contents 1 FAQ 2 Proxy Listing 3 Different format 4 Alternate Whois Sources 5 IP's resulting in multiple ranges 6 Early returns 7 Most of them are done 8 Proxys for dumbies 9 Contacting the Proxy Managers 10 Netmask calculator

FAQ

• You may get an error on the Whois page if you try to do too many in one day. You do earn a trophy full of Steak-umms for doing such hard work, though.
• You may find two or more IPs that fall in the same range. Just put in the data like normal, and we'll cull out the duplicates later.
• Some of the Whois pages contain more info than others. Look for inetnum or NetRange or something similar.
• Some of the Whois pages already have listed the netmask. Look for CIDR.
  • These two instances are generally only found on the longer pages. Most pages, however, only supply the low and the high, and are therefore very short in length.
• If you get stuck, perhaps someone on the IRC channel is around to help.

Proxy Listing

Hi Dot com, I have a question: I was doing the very first node and the netmask returned:

netmask 12.173.164.0-12.173.164.255
12.173.164.0/255.255.255.0	12.173.164.0/0.0.0.255	12.173.164.0/ 24

I had to double check, but I indeed typed in the correct range. When following the example, the IP range without the netmask makes no sense. With the netmask it makes a little bit more sense but it still makes no sense. So... a) is this correct? b) do you guys need the netmask? c) if this affects other wiki's are there other groups doing the same thing? Are they "inter-collaborating"? --Stux 03:58, 16 November 2005 (UTC)

What doesn't make sense about it? Looks fine to me. The netmask is unnecessary, as it's implied by the /24. --Jay (Talk) 04:00, 16 November 2005 (UTC)

Maybe my terminology was incorrect, but the part we need is 12.173.164.0/ 24, with the slash and the two-digit number. — It's dot com 04:04, 16 November 2005 (UTC)

Edit Conflict Yeah but the range is from 12.173.164.0-12.173.164.0 implying one IP address? I am not too familiar with the last two notations: 12.173.164.0/0.0.0.255 and 12.173.164.0/ 24 and I wanna make sure i'm not missing anything. --Stux 04:05, 16 November 2005 (UTC)

I'm not totally sure what the first two numbers and masks mean, but what we're looking for is the last one, the one bolded above. — It's dot com 04:07, 16 November 2005 (UTC)

The mask is supposed to be a logical AND of the binary representation of the numbers, the first will return only the first 3 numbers, and the second only the 4th number. --Stux 04:09, 16 November 2005 (UTC)

Edit Conflict See Lapper seems to be getting different numbers: 12.173.164.0 || 12.173.164.255 is what he's (what seems to me correctly) reporting. --Stux 04:08, 16 November 2005 (UTC)

Also edit conflict'd The mask stuff (255.255.255.0, etc.) isn't important here. The actual range is the part where it says "12.173.164.0-12.173.164.255". What the /24 terminology means is that 24 bits remain the same in all addresses in the range. Each part of an IP address has eight bits, so this means that the first three parts will be the same for all addresses. The last eight bits (the entire fourth part) can be anything - but no part in an IP address can be larger than 255 (the largest number possible with eight bits.) If it was, say, /25 (and the fourth part was still zero) then only 7 bits could change, so the range would be 12.173.164.0-12.173.164.127, for instance. (This makes a lot more sense if you've taken several years of computer science, lemme tell ya.) --Jay (Talk) 04:11, 16 November 2005 (UTC)

Makes perfect sense, but again if you notice, the netmask calculator isn't giving me a 0-255 range it's giving me a 0-0 range. That's what I want to clarify. --Stux 04:14, 16 November 2005 (UTC)

What? It sure looks like it did from what you posted above. First line: "netmask 12.173.164.0-12.173.164.255" --Jay (Talk) 04:20, 16 November 2005 (UTC)

No no, "netmask 12.173.164.0-12.173.164.255" was the input shown on the top of the page, the output produced was the line just below it. With the 0-0 range. --Stux 04:24, 16 November 2005 (UTC)

Must be a different site. Anyway, the other terminology has a meaning, but it's not really all that important here (the 255.255.255.0 represents the bits that remain constant, and the 0.0.0.255 represents the variable bits.) --Jay (Talk)

No actually i got it from the same site that was provided in the link, it does that for all class C 0-255 thingy's. --Stux 04:35, 16 November 2005 (UTC)

Different format

Hey what about these... which number do you want? I am assuming that the range you want is 61.197.218.176 - 61.197.218.183.--Stux 04:12, 16 November 2005 (UTC)

Yes, that's right. — It's dot com 04:14, 16 November 2005 (UTC)

Cool thanks! --Stux 04:16, 16 November 2005 (UTC)

And, BTW, the proper notation for the range would be 61.197.218.176/29, if I did my math correctly (I seem to have misplaced my calculator...) --Jay (Talk) 04:18, 16 November 2005 (UTC)

That's what I got! BTW thank you for the explanation above, it made things a lot clearer Jay. --Stux 04:20, 16 November 2005 (UTC)

What about this one? It has a 24-bit range at the top (62.2.202.0 - 62.2.202.255) and lists 62.2.0.0/16 way at the bottom and nothing more. --Stux 04:23, 16 November 2005 (UTC)

The first part (62.2.202.0/24) is the one we need, I think. It's a subdomain of 62.2.0.0/16, but I don't think we need to block the parent domain. --Jay (Talk) 04:24, 16 November 2005 (UTC)

Noted! Sorry I keep pestering you like a little child... this one only seems to list its parent domain 61.232.0.0-61.237.255.255. --Stux 04:27, 16 November 2005 (UTC)

Not all domains are broken up - I think the #1 problem there is that we can't block entire domains with fewer than 16 constant bits in one go IIRC (that is, we can't block 61.232.0.0/13, but we could block each of the 16-bit domains individually... there would only be a few of them. Also, the second one looks like it should be 61.239.255.255, but that's not your fault.) --Jay (Talk) 04:30, 16 November 2005 (UTC)

And we probably won't be blocking anything bigger than /24 (by that I mean not /23 or below). But this is a good starting point. — It's dot com 04:37, 16 November 2005 (UTC)

Edit Conflict So you mean to say that the entry http://whois.sc/61.233.144.118 should have been http://whois.sc/61.239.144.118? --Stux 04:38, 16 November 2005 (UTC)

No, I mean the range should have been 61.232.0.0-61.239.255.255. But, yes, the Whois website is giving the 237 number. Maybe the company got two domains and/or the person who added them made a typo or was too lazy to put both domains separately? I dunno. --Jay (Talk) 04:43, 16 November 2005 (UTC)

Oh I see. So what should I put for the range? I got from that same site, when typing netmask 61.232.0.0-61.239.255.255 as input: 61.232.0.0/255.248.0.0 61.232.0.0/0.7.255.255 61.232.0.0/ 13 which is a pretty big range. (If i'm reading this correctly). --Stux 04:48, 16 November 2005 (UTC)

Just put the /13, and I guess it will all be sorted out later. --Jay (Talk) 04:50, 16 November 2005 (UTC)

Ok, sounds good -- again thanks! --Stux 04:51, 16 November 2005 (UTC)

What about this one? It turns up three ranges. Want me to just use the one that matches the physical location it reports at the top (Tanzania) or go with the one at the bottom? — User:ACupOfCoffee@ 16:18, 16 November 2005 (UTC) Or this one? — User:ACupOfCoffee@ 16:36, 16 November 2005 (UTC)

I'd go with the one that gives the smallest result, 63.109.249.88 - 63.109.249.95 — It's dot com 16:39, 16 November 2005 (UTC)

Alternate Whois Sources

I just got the following message from whois.sc:

To see the Whois Record for '''62.150.25.108''' you will need to sign-up for a free account.
We restrict how many whois records we give out to anonymous users per day. Sorry for the
precaution but we need to limit wandering robots for the protection of everyone. 

All other subsequent requests were the same. Are there other sites with similar services? Will a UNIX whois command provide the same services? Thanks in advance. --Stux 05:00, 16 November 2005 (UTC)

Oh perfect. — It's dot com

There's http://ws.arin.net/ but I don't think you can use that for decent info on addresses outside North America (can't hurt, though. In fact, I'd like to check some of the weirder addresses we've been getting against it.) --Jay (Talk) 05:03, 16 November 2005 (UTC)

I'm not getting an error. Perhaps it is just for specific anonymous IPs. — It's dot com 05:03, 16 November 2005 (UTC)

Oh, free account ... well if you're brave enough you can register (I went through about 3 sets before I got the message). I'll try ws.arin.net first. --Stux 05:05, 16 November 2005 (UTC)

But be forewarned: if the address isn't North American, you'll get a giant domain instead (for instance, I was double-checking the unusual domain of 221.212.177.97 and if gave me the totally-not-useful 221.0.0.0/8.) --Jay (Talk) 05:07, 16 November 2005 (UTC)

Same here, for the IP 62.142.224.55, i originally got 62.142.0.0/16 from whois (before it closed me down), and the ever so (not) useful 62.0.0.0/8 from arin. Most of these IP's are foreign (which would make sense for the attacker to use), so I think it'll be of little use in this data set. --Stux 05:10, 16 November 2005 (UTC)

Come to think of it, ARIN does (at least some of the time) link you over to the other superdomains' sites, like APNIC. (http://www.apnic.net) Check to see if such a link is given. --Jay (Talk) 05:12, 16 November 2005 (UTC)

APNIC's searches are still too general. For 62.150.25.108, I got 62.0.0.0 - 62.255.255.255 vs. 62.150.0.0/16 from whois.sc. I ended up registering in the end with a "spammable" email addy. That last IP is from Kuwait... who would'a thunk it? --Stux 05:17, 16 November 2005 (UTC)

APNIC probably wouldn't have applied to a Kuwaiti address, that was just an example. --Jay (Talk) 05:20, 16 November 2005 (UTC)

Specifically, that address was a RIPE address. --Jay (Talk) 05:21, 16 November 2005 (UTC)

IP's resulting in multiple ranges

Hi, given that I've been the one that's started every question in this page, how about I keep up with tradition? Ok, my question is regarding IP's that report more than one range for a given IP. For example, running this one through the mask calculator generates:

62.75.146.0/255.255.254.0	62.75.146.0/0.0.1.255	62.75.146.0/ 23
62.75.148.0/255.255.252.0	62.75.148.0/0.0.3.255	62.75.148.0/ 22
62.75.152.0/255.255.255.0	62.75.152.0/0.0.0.255	62.75.152.0/ 24

At first this was confusing, because of the 0-0 range problem I reported above. All other IP's I'd seen reported only two ranges, this one reported three. I'm pretty sure now that I reported my original ranges wrong, in this one I reported them instead as:

Lower Limit: 62.75.146.0, 62.75.148.0, 62.75.152.0 	
Upper Limit: 62.75.146.255, 62.75.148.255, 62.75.152.255 	 
IP Range: 62.75.146.0/ 23,62.75.148.0/ 22,62.75.152.0/ 24

I want to make sure I reported this correctly. (Or if you wanted the shorter version that would report 62.75.146.0 and 62.75.152.255 as the lower and upper limit respectively. --Stux 05:54, 16 November 2005 (UTC)

Yeah, I actually already tweaked that one. See section 8. We just need the lower and upper limit once, and then all three ranges with the slashes. — It's dot com 05:56, 16 November 2005 (UTC)

Cool thanks! I'm getting the hang of this... I fixed section 7 accordingly. --Stux 06:02, 16 November 2005 (UTC)

Side question: is the upper limit for first entry in section 25? It was taken from the whois information rather than the netmask result. --Stux 06:03, 16 November 2005 (UTC)

Yes, it's right. — It's dot com 06:07, 16 November 2005 (UTC)

Man I have a lot of mistakes I have to go back and fix. --Stux 06:28, 16 November 2005 (UTC)

Early returns

Early returns are in, and this is shaping up well. Thank you to everyone who is participating in this. We've got a ways to go, but it shouldn't take too long with all the TLC it's getting. Tomorrow or the next day I'll be writing a script that can help confirm the data (it will be designed to make sure the original IP is within the reported lower and upper limit and it will match the netmask against the limits). Okay, I am out of here for today, but, um, but first up is an hour of chanting. — It's dot com 06:26, 16 November 2005 (UTC)

Most of them are done

...thanks to my 31173 scripting skills, but they need a bit of checking - I spotted a couple where the whois page returned several IP ranges in different places, some of which the IP searched for wasn't in at all... I fixed the ones I saw but I think there's still probably some left. And there's still a few holes where my script didn't recognise the ip range in the result... but hopefully I've sped it up for you guys. --phlip ^T_C 11:49, 16 November 2005 (UTC)

If you're curious, I put the script here. --phlip ^T_C 11:58, 16 November 2005 (UTC)

Actually, I might end up doing a lot of that again... try to get more reliable answers out of it... --phlip ^T_C 12:09, 16 November 2005 (UTC)

OK, I reworked the script, it now asks me if there's two choices, so I know it's picking the right one. I've done page 3, and I'll do the others tomorrow (it's too late for me to do any more tonight). There's still a lot that need to be hand-done - most of that big hole in page 3 is ones where the whois page just gives the netmask, not the ip range, so the script doesn't pick it up. --phlip ^T_C 17:54, 16 November 2005 (UTC)

Good jaerb, Phlip. See you tomorrow. — It's dot com

I did a heap more on page 4, but that's all I'm gonna have the chance to do for a while, I think... I have stuff to do for the next couple of days. --phlip ^T_C 15:39, 17 November 2005 (UTC)

Proxys for dumbies

I am more than willing to help, but need a little bit more instruction, i read the FAQs, instructions, and this talk page. I went to the whois page for some of the links I don't know what I'm looking for. In the meantime, I will look at some of the ones already done to see if i can backsolve to see what to do, but i want to be sure before i start. I R F 16:54, 16 November 2005 (UTC)

Nevermind, I think I got it I R F 17:45, 16 November 2005 (UTC)

Contacting the Proxy Managers

You know, going through this i noticed that many of these whois services have an "contact if abuse" email address, would there be any way to put these addresses to good use? Especially since the attacker isn't just targeting out wiki but multiple wiki's concurrently. --Stux 21:38, 18 November 2005 (UTC)

Netmask calculator

I'm not able to get the netmask calculator to load right now; is anyone else having the same problem? Heimstern Läufer 05:34, 19 November 2005 (UTC)

I'm having the same problem. Hopefully it will clear up soon. — It's dot com 06:06, 19 November 2005 (UTC)

Not that it really matters since it's like oh ... 3:30am in the Eastern Seaboard... but the site's back up again. --Stux 08:26, 19 November 2005 (UTC)

Wow! Activity... I guess I was wrong! That was really quick set you added there Heimstern! It's looking good! As for me, I'm turning in. Good night all! --Stux 08:45, 19 November 2005 (UTC)

Well, I had actually already discovered that it was back up about five minutes before you made your post. Also, because I live in California, it was only a bit past midnight here, so it wasn't all that late for me. Heimstern Läufer 17:10, 19 November 2005 (UTC)