[Misc] Strange happenings this morning / Banned IP addresses

[Bozza]

Something strange going on with NSC this morning.

Some people were struggling to get logged in so I took a quick look and it appears that NSC was possibly being attacked and as such all logins were being blocked.

I did some SQL jiggery pokery which resolved the logging in issue and, as a precaution, I blocked the single IP address that all the traffic was coming from.

My email is now getting flooded with people complaining they have been blocked from NSC due to their IP address. So, it seems, that everyone visiting NSC at the moment is presenting the same IP address which means...

1. If I block it, everyone is blocked.
2. If people fail their logins, it counts as fails for everyone, since everyone looks the same due to the IP address being presented. To the software this looks like an attacker trying multiple usernames and passwords to try to get in.

I've unblocked the IP address now, but people may still experience login issues. As I've made no changes, I can only assume that maybe the hosts have made a change somehow. I'll look into it later.

 

[Thunder Bolt]

I got that but also have had a phone call from Tom Hark Preston Park because he can't log in at all.

 

[Man of Harveys]

I thought it was something I'd said :0(

 

[8ace]

test

 

[Yoda]

I was worried we had a breech of security at work. I'm on an NHS pc.

 

[Bozza]

Yep - everyone is hitting NSC from exactly the same IP address for some reason. Bizarre.

 

[fat old seagull]

Me too, but thought 'damn I've finally been rumbled'! However all is now ok

Well apart from a rather unusual 'MI5 vacancy ad' blinking away at the bottom of the thread ?

 

[Gullflyinghigh]

Ah that would explain the Tapatalk weirdness this morning, for a horrifying moment I thought it no longer worked on NSC.

 

[severnside gull]

Ooh. To think I share an IP address with NSC's great and good. Cool.

 

[beorhthelm]

Yep - everyone is hitting NSC from exactly the same IP address for some reason. Bizarre.

reverse proxy? is the IP in your hosting company's IP range?

 

[StonehamPark]

I'm back in!

Woohoo!

Felt very lonely peering in from the outside.

 

[Bozza]

reverse proxy? is the IP in your hosting company's IP range?

I suspect it's something like that. I haven't been able to quickly find the owner of the IP address (day job) but I've raised a ticket with Rackspace - they tend to be quick.

 

[Tom Hark Preston Park]

Able to login now cheers [MENTION=6886]Bozza[/MENTION]

 

[ditchy]

Putin was on here,after chatting with Ed Snowden , just checking the thread about Syria and "clocking" all those who were against

 

[Titanic]

Yep - everyone is hitting NSC from exactly the same IP address for some reason. Bizarre.

So have the hosts implemented some sort of firewalling/natting/proxy? The IPaddr my browser is targeting for northstandchat.com is 98.129.229.50... this the address seems to route through loads of hops in the 'rackspace' world, the last of which are...

22 133 ms 133 ms 133 ms po1.corea-core10.core10.dfw3.rackspace.net [74.205.108.49]
23 137 ms 137 ms 136 ms core10-aggr170b-2.dfw3.rackspace.net [67.192.88.151]
24 136 ms 137 ms 136 ms 98.129.229.50

What is the address that client connections are appearing on... perhaps the subnet it belongs to will be a clue as to who is doing it??

 

[Thunder Bolt]

Love the tag line #bozzaout.

Own up, who did it?

 

[fat old seagull]

Love the tag line #bozzaout.

Own up, who did it?

Woz Entmee ?

 

[Foul Play Rocks]

I'm back in too. All is right in my little world again.

 

[halbpro]

So have the hosts implemented some sort of firewalling/natting/proxy? The IPaddr my browser is targeting for northstandchat.com is 98.129.229.50... this the address seems to route through loads of hops in the 'rackspace' world, the last of which are...

22 133 ms 133 ms 133 ms po1.corea-core10.core10.dfw3.rackspace.net [74.205.108.49]
23 137 ms 137 ms 136 ms core10-aggr170b-2.dfw3.rackspace.net [67.192.88.151]
24 136 ms 137 ms 136 ms 98.129.229.50

What is the address that client connections are appearing on... perhaps the subnet it belongs to will be a clue as to who is doing it??

Rackspace or something to do with Cloudflare is my guess without having more info. Think NSC still uses Cloudflare?

 

[¡Cereal Killer!]

Why does my Tapatalk say I am banned? It has said that for a few months at least now. I am still able to post though.