Possible Attack on our site...

Once a week our website is getting what looks like an attack from the outside. The access logs show 15+ hits a second for over an hour from 66.237.62.116 (XO Communications owned address.) I have emailed abuse@xo.net (the listed abuse email) but have not recieved a responce. Anyone have any ideas what this is? An attack? Some sort of spider? Really Really REALLY Intrested user?

It an attack, why only once a week? Any why only for about an hour? If a spider why soo much soo fast? We can't be the only ones who would feel the "pain".

Any ideas what to do? Sr Admin dosn't want to filter out the range...Any suggestions to limit hit velocity? Other solutions? Any help would be great.!


access.log snipit
66.237.62.116 -- [26/Apr/2007:02:40:26 -0500] "GET /control/contactus HTTP/1.0" 200 25298 "-" "Mozilla/5.0/Gecko/20060808 Fedora/1.5
.0.6-2.fc5 Firefox/1.5.0.6 (X11; U; Linux i686; en-US; rv:1.8.0.6)"
66.237.62.116 -- [26/Apr/2007:02:40:26 -0500] "GET /control/contactus HTTP/1.0" 200 25298 "-" "Mozilla/5.0/Gecko/20060808 Fedora/1.5
.0.6-2.fc5 Firefox/1.5.0.6 (X11; U; Linux i686; en-US; rv:1.8.0.6)"

Found some info on this.. Looks like anyone at 66.237.62.0 is a "bad man" or working for "bad men" But I want more to go on than a few posts in a forum i'm not farmilar with, and an the odd reference from a google search.

Anyone with any info please let me know... Aside from wanting to get this straightened out I need the knowledge going forward.. So any good sites to look at.. good news groups to read.. anything would be appreciated.

thanks.!

Todd

Don't have any further details on your mystery visitor, but anyone who batters my network gets filtered out pronto. After all, there's nothing I'd ever want to receive from such a person so where's my loss? However if your boss doesn't want to filter the range you could always add a static route on your router redirecting traffic from that range to null or to a dead interface. You could stick this on and remove it as required. It won't keep it off your internet pipe but they might take the hint after a while. Alternatively you could get your ISP to drop the traffic at their end of the link

They are probably looking to see if you are running any webserver with security holes.

Once a week our website is getting what looks like an attack from the outside. The access logs show 15+ hits a second for over an hour from 66.237.62.116 (XO Communications owned address.) I have emailed abuse@xo.net (the listed abuse email) but have not recieved a responce. Anyone have any ideas what this is? An attack? Some sort of spider? Really Really REALLY Intrested user?

It an attack, why only once a week? Any why only for about an hour? If a spider why soo much soo fast? We can't be the only ones who would feel the "pain".

Any ideas what to do? Sr Admin dosn't want to filter out the range...Any suggestions to limit hit velocity? Other solutions? Any help would be great.!


access.log snipit
66.237.62.116 -- [26/Apr/2007:02:40:26 -0500] "GET /control/contactus HTTP/1.0" 200 25298 "-" "Mozilla/5.0/Gecko/20060808 Fedora/1.5
.0.6-2.fc5 Firefox/1.5.0.6 (X11; U; Linux i686; en-US; rv:1.8.0.6)"
66.237.62.116 -- [26/Apr/2007:02:40:26 -0500] "GET /control/contactus HTTP/1.0" 200 25298 "-" "Mozilla/5.0/Gecko/20060808 Fedora/1.5
.0.6-2.fc5 Firefox/1.5.0.6 (X11; U; Linux i686; en-US; rv:1.8.0.6)"

Thanks for the info...!!!

I think i'm going to convince the Sr. Admin to filter the whole shebang out.

Todd