Strange Listeners
Strange Listeners
Hello, I'm hoping someone can shed some light on some strange and persistent listeners to my stream. For the past couple of months I've been seeing listeners in Radio Toolbox listed with "**EMPTY**" as the User Agent. I didn't think too much about this at first, but the more I'd see it, the more I saw a pattern. They started to show up in pairs, from nearly the same IP address, and would be connected nearly the same amount of time.
Then I noticed when I logged into my stream provider, the locations would be different than Radio Toolbox was showing. RT would say they were in the U.S. (usually California or Texas) but my streaming server would say they were in Europe (either the U.K. or Finland). I set up a User Agent Ban list with the **EMPTY** agent, but after a holiday, I returned to find that didn't work, and two of these IPs were connected, and had been for over 10 days. Searching the IPs on Google doesn't seem to return any pertinent info on who they are. IPs ALWAYS start with either 34 or 35.
I'm currently trying to win a battle by banning their subnets when I find them connected, but that would be easier if I could ban any IPs beginning with 34 or 35. Currently looks like you can only put a range on the 4th IP number.
Anyway... wondering if anyone else is experiencing these strange connections (they would have to be a bot, or something worse I assume) and how you are dealing with this. Also taking suggestion on how to deal with this.
Thanks for your time & knowledge.
Mike
Then I noticed when I logged into my stream provider, the locations would be different than Radio Toolbox was showing. RT would say they were in the U.S. (usually California or Texas) but my streaming server would say they were in Europe (either the U.K. or Finland). I set up a User Agent Ban list with the **EMPTY** agent, but after a holiday, I returned to find that didn't work, and two of these IPs were connected, and had been for over 10 days. Searching the IPs on Google doesn't seem to return any pertinent info on who they are. IPs ALWAYS start with either 34 or 35.
I'm currently trying to win a battle by banning their subnets when I find them connected, but that would be easier if I could ban any IPs beginning with 34 or 35. Currently looks like you can only put a range on the 4th IP number.
Anyway... wondering if anyone else is experiencing these strange connections (they would have to be a bot, or something worse I assume) and how you are dealing with this. Also taking suggestion on how to deal with this.
Thanks for your time & knowledge.
Mike
-
Jay
- Will work for food (Administrator)
- Posts: 3025
- Joined: Mon Jan 14, 2002 12:48 am
- Location: Next Door
- Contact:
Re: Strange Listeners
User Agents can be crafted to say anything, so keep that in mind when deciding to ban based on them. Unlike IP they are client provided. Presuming Shoutcast, you are correct, Shoutcast servers limit subnet bans to class C, however you could generate a list of all C class subnets in 34 and 35 and put it in your banlist file, not sure what that would do to performance.
Alternatively you can selectively ban datacenter ips as these tend to be the source of bot connections. Be aware though, that some datacenter ips need to be whitelisted to work with some directory listing providers.
https://github.com/ejrv/VPNs
The above url contains a list of all datacenter IPs, you can parse it down to see if you can find a matching subnet for your suspect.
Alternatively you can selectively ban datacenter ips as these tend to be the source of bot connections. Be aware though, that some datacenter ips need to be whitelisted to work with some directory listing providers.
https://github.com/ejrv/VPNs
The above url contains a list of all datacenter IPs, you can parse it down to see if you can find a matching subnet for your suspect.
- Jay
Re: Strange Listeners
Thanks for the info Jay. I checked the lists, and the IPs are not on them. The good news is that with only 25 subnet bans, I have either stopped them, or made them give up!
Re: Strange Listeners
I have blocked the same 34 and 35 ranges, they belong to GOOGLE and originate from Finland and the UK. IPs from these ranges try and log in every 30 minutes or so and when they leave another one logs in.
The ones I blacklisted are: 34.89.104.0, 34.89.19.0, 34.89.47.0, 34.89.94.0, 34.142.105.0, 35.189.120.47, 35.205.220.0, 35.228.103.0, 35.228.104.0, 35.228.107.0, 35.228.112.0, 35.228.115.0, 35.228.119.0, 35.228.146.0, 35.228.151.118, 35.228.163.0, 35.228.182.0, 35.228.195.0, 35.228.208.0, 35.228.249.0, 35.228.53.0, 35.228.57.0, 35.228.59.0, 35.228.61.0, 35.228.67.0, 35.228.69.0, 35.228.83.0, 35.228.98.0, 34.88.128.177, 34.88.151.0, 34.88.214.0, 34.88.25.0, 34.88.45.142, 34.88.47.7, 34.88.5.0, 34.88.54.0, 34.88.65.0, 34.88.81.0
Anyone know more about this?
The ones I blacklisted are: 34.89.104.0, 34.89.19.0, 34.89.47.0, 34.89.94.0, 34.142.105.0, 35.189.120.47, 35.205.220.0, 35.228.103.0, 35.228.104.0, 35.228.107.0, 35.228.112.0, 35.228.115.0, 35.228.119.0, 35.228.146.0, 35.228.151.118, 35.228.163.0, 35.228.182.0, 35.228.195.0, 35.228.208.0, 35.228.249.0, 35.228.53.0, 35.228.57.0, 35.228.59.0, 35.228.61.0, 35.228.67.0, 35.228.69.0, 35.228.83.0, 35.228.98.0, 34.88.128.177, 34.88.151.0, 34.88.214.0, 34.88.25.0, 34.88.45.142, 34.88.47.7, 34.88.5.0, 34.88.54.0, 34.88.65.0, 34.88.81.0
Anyone know more about this?