Anyone has more info about this abusive group of IPs?

My website is being hit many times a day by a group of IPs, all from US data-centers.
From what I can tell they are not VPN providers.

I identified over 1000 IPs with same behavior, it would help if others have more info about this, maybe you see any of them in your logs or so.
By their behavior and parameters, I am 100% sure they are from same group/owner/etc.

I think they are part of a larger bot network that click on Google ads but I am not 100% sure.

AdSense and SEO rankings always go down when I am hit by these, I can compare them in Google Analytics.

Here is part of the latest ones, if anyone has some info it would be great.

I am sure Cloudflare staff can find them in their large network logs, but it is impossible to reach Cloudflare directly :frowning:


You could use an online tool (such as, there are many tools out there) to get information on each of these IP addresses. Several seem to belong to the ASN of hosting companies, a sure sign that the IPs are assigned to websites that were compromised by hackers. You can then Block or Challenge these AS Numbers with a Firewall Rule.

There are some tools that will convert a large group of IP addresses to their ASN, you might want to google “ip to asn online tool” or similar query. That might be helpful if you have a large list of IPs to check.

1 Like

Yes, that makes sense but I did most of that, I can see they have some group of IPs in different data centers across the US, and I can block them, but I was curious to see if anyone has specific info about any of these , for example: “They are used by service X that does Z or Y”.

It might be a company selling http proxy servers (not VPN), they are all configured the same, but I don’t know why I don’t find other data in other people’s logs or complains online. It looks like a private network of proxy servers, not used by others.

It doesn’t really fit the profile of normal bots I seen before.

they all belong to OVH network with ASN = 16276

cat cf-147621.txt | while read i; do curl -s; done | uniq -c | sort -rn       
     73 AS16276 OVH SAS
1 Like

I think you did something wrong with the test, this is what I see…
But if you double check and I am wrong, let me know, all showing USA as origin country:	acIsomedia	Vivid Hosting	ColoCrossing	TerraTransit AG	Cogent Communications	Cogent Communications	LeapSwitch Networks Pvt	Cogent Communications	TerraTransit AG

lol yes i did forget to query the actual IP and queried my own IP haha

cat cf-147621.txt | while read i; do curl -s$i/org; done | sort |  uniq -c | sort -rn
      9 AS174 Cogent Communications
      6 AS42366 TerraTransit AG
      5 AS36352 ColoCrossing
      3 AS7489 HostUS
      3 AS63949 Linode, LLC
      3 AS54103 MOD Mission Critical
      3 AS46261 QuickPacket, LLC
      3 AS20150 anyNode
      3 AS18530 Isomedia, Inc.
      2 AS64200 Vivid Hosting
      2 AS396319 CLOUDVPN INC.
      2 AS21769 Colocation America Corporation
      2 AS19084 ColoUp
      2 AS15003 Nobis Technology Group, LLC
      2 AS13332 Hype Enterprises
      1 AS7979, Inc.
      1 AS63473 HostHatch, LLC
      1 AS62874 Web2Objects LLC
      1 AS58305 SYN LTD
      1 AS47869 Ellada Projects B.V. trading as Netrouting
      1 AS46562 Total Server Solutions L.L.C.
      1 AS40676 Psychz Networks
      1 AS397384 LaunchVPS, LLC
      1 AS397280 HostFlyte Server Solutions
      1 AS396190 Leaseweb USA, Inc.
      1 AS394474 WhiteLabelColo
      1 AS3842 RamNode LLC
      1 AS264850 TODAS LAS REDES SA
      1 AS20473 Choopa, LLC
      1 AS204472 Amol Kotkar trading as A K Digital Media
      1 AS20278 Nexeon Technologies, Inc.
      1 AS20248 Take 2 Hosting, Inc.
      1 AS201341 Tesonet Ltd
      1 AS18779 EGIHosting
      1 AS17216 DC74 LLC
      1 AS15083 Infolink Global Corporation
      1 AS132335 LeapSwitch Networks Pvt Ltd

This topic was automatically closed after 30 days. New replies are no longer allowed.