Anyone has more info about this abusive group of IPs?

My website is being hit many times a day by a group of IPs, all from US data-centers.
From what I can tell they are not VPN providers.

I identified over 1000 IPs with same behavior, it would help if others have more info about this, maybe you see any of them in your logs or so.
By their behavior and parameters, I am 100% sure they are from same group/owner/etc.

I think they are part of a larger bot network that click on Google ads but I am not 100% sure.

AdSense and SEO rankings always go down when I am hit by these, I can compare them in Google Analytics.

Here is part of the latest ones, if anyone has some info it would be great.

I am sure Cloudflare staff can find them in their large network logs, but it is impossible to reach Cloudflare directly :frowning:

195.38.1.124
192.154.215.24
172.245.217.87
185.170.197.28
38.127.124.101
38.130.161.143
209.242.196.176
38.130.161.113
185.173.109.60
23.249.228.28
158.222.115.228
45.5.65.222
69.60.98.13
50.116.58.205
167.160.34.208
172.93.174.192
181.177.80.30
45.79.13.132
66.78.17.160
76.8.60.130
198.240.122.124
23.27.146.92
198.23.231.99
207.66.3.94
38.83.9.84
185.173.109.220
23.108.67.18
185.144.156.208
23.226.209.205
38.64.101.50
209.192.135.74
31.220.30.90
162.217.248.69
104.128.226.229
144.172.68.237
162.219.31.110
45.79.69.120
185.173.109.124
104.207.132.171
168.235.67.162
104.168.117.12
138.0.242.32
107.163.234.16
72.19.15.181
38.130.176.226
194.31.151.94
85.203.48.88
23.108.67.24
74.114.118.188
185.197.28.28
198.37.121.89
23.105.70.81
192.154.215.0
45.58.52.43
173.211.35.109
158.222.115.4
216.126.231.221
193.31.34.60
38.130.180.54
216.126.231.142
185.47.44.233
69.51.25.225
207.66.25.62
185.202.170.45
85.203.49.56
45.58.49.209
198.8.93.22
38.130.178.126
104.168.101.131
85.203.51.18
38.64.55.192
192.210.180.177
185.174.253.156

Hi,

You could use an online tool (such as bgp.he.net, there are many tools out there) to get information on each of these IP addresses. Several seem to belong to the ASN of hosting companies, a sure sign that the IPs are assigned to websites that were compromised by hackers. You can then Block or Challenge these AS Numbers with a Firewall Rule.

There are some tools that will convert a large group of IP addresses to their ASN, you might want to google “ip to asn online tool” or similar query. That might be helpful if you have a large list of IPs to check.

Yes, that makes sense but I did most of that, I can see they have some group of IPs in different data centers across the US, and I can block them, but I was curious to see if anyone has specific info about any of these , for example: “They are used by service X that does Z or Y”.

It might be a company selling http proxy servers (not VPN), they are all configured the same, but I don’t know why I don’t find other data in other people’s logs or complains online. It looks like a private network of proxy servers, not used by others.

It doesn’t really fit the profile of normal bots I seen before.

they all belong to OVH network with ASN = 16276

cat cf-147621.txt | while read i; do curl -s https://ipinfo.io/org; done | uniq -c | sort -rn       
     73 AS16276 OVH SAS

I think you did something wrong with the test, this is what I see…
But if you double check and I am wrong, let me know, all showing USA as origin country:

195.38.1.124	acIsomedia

192.154.215.24	Vivid Hosting

172.245.217.87	ColoCrossing

185.170.197.28	TerraTransit AG

38.127.124.101	Cogent Communications

38.130.161.143	Cogent Communications

209.242.196.176	LeapSwitch Networks Pvt

38.130.161.113	Cogent Communications

185.173.109.60	TerraTransit AG
2 Likes

lol yes i did forget to query the actual IP and queried my own IP haha

cat cf-147621.txt | while read i; do curl -s https://ipinfo.io/$i/org; done | sort |  uniq -c | sort -rn
      9 AS174 Cogent Communications
      6 AS42366 TerraTransit AG
      5 AS36352 ColoCrossing
      3 AS7489 HostUS
      3 AS63949 Linode, LLC
      3 AS54103 MOD Mission Critical
      3 AS46261 QuickPacket, LLC
      3 AS20150 anyNode
      3 AS18530 Isomedia, Inc.
      2 AS64200 Vivid Hosting
      2 AS396319 CLOUDVPN INC.
      2 AS21769 Colocation America Corporation
      2 AS19084 ColoUp
      2 AS15003 Nobis Technology Group, LLC
      2 AS13332 Hype Enterprises
      1 AS7979 Servers.com, Inc.
      1 AS63473 HostHatch, LLC
      1 AS62874 Web2Objects LLC
      1 AS58305 SYN LTD
      1 AS47869 Ellada Projects B.V. trading as Netrouting
      1 AS46562 Total Server Solutions L.L.C.
      1 AS40676 Psychz Networks
      1 AS397384 LaunchVPS, LLC
      1 AS397280 HostFlyte Server Solutions
      1 AS396190 Leaseweb USA, Inc.
      1 AS394474 WhiteLabelColo
      1 AS3842 RamNode LLC
      1 AS264850 TODAS LAS REDES SA
      1 AS263735 SOCIEDAD BUENA HOSTING, S.A.
      1 AS20473 Choopa, LLC
      1 AS204472 Amol Kotkar trading as A K Digital Media
      1 AS20278 Nexeon Technologies, Inc.
      1 AS20248 Take 2 Hosting, Inc.
      1 AS201341 Tesonet Ltd
      1 AS18779 EGIHosting
      1 AS17216 DC74 LLC
      1 AS15083 Infolink Global Corporation
      1 AS132335 LeapSwitch Networks Pvt Ltd
3 Likes