googleからhttpsで絨毯爆撃食らってる件
何か数日前からgoogleが自宅サーバにhttpsリクエスト発行しまくって攻撃してきてる。
# zcat ssl_request_log.3.gz [03/Feb/2010:02:33:57 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/zaaZ/tooLgkjeQ_AhN9Le0X/3N2cAxN3/?t=uc&aid=2723404&encoding=b5&action=flagbad&fucid=126513 HTTP/1.1" 300 [03/Feb/2010:02:39:06 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/Q_aZ/tttLq0mhvTN8LxjX/cAMN0/sv?id=b3e9133111044723971b718eb82b223a001 HTTP/1.1" 297 [03/Feb/2010:02:41:49 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/zaaZ/ttoLNkjxQaAXg9Lx0X/yw/J/rr/r4/n2724445.htm HTTP/1.1" 314 [03/Feb/2010:02:41:50 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/Qa_k/oooLgkjeQ_RXN3Le0X/yw/J/rr/rW/n2722808.htm HTTP/1.1" 314 [03/Feb/2010:02:41:51 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/zaaZ/ottLNk0eQ_RXg9Le0X/yw/J/rr/V/n2710965.htm HTTP/1.1" 313 [03/Feb/2010:02:41:51 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/z_aZ/ootLgkjxQ_AhN9Lx0h/yw/J/r-/V/n2677968.htm HTTP/1.1" 313 [03/Feb/2010:02:41:52 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/z__k/ottLNZ0xzaAXN3Lx0X/yw/J/r-/V/n2677961.htm HTTP/1.1" 313 [03/Feb/2010:02:45:18 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/Qa_k/tooLgk0ez_AhN9LejX/yw/J/rr/sH/n2736423.htm HTTP/1.1" 314 [03/Feb/2010:02:49:07 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/Q_ak/ttoLNkjeQ_AhN9Lx0X/yw/J/r-/sW/n2700416.htm HTTP/1.1" 314 [03/Feb/2010:02:52:50 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/Qa_Z/tooLgkjeQ_AXN3Le0X/yw/J/I/r/n2609176.htm HTTP/1.1" 312 [03/Feb/2010:02:56:36 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /dl/jingpian/200181.htm HTTP/1.1" 286 [03/Feb/2010:02:56:37 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/Qa_Z/3mXAiyXRiyIJ4VLwD0yLNZ0eQaRXg3Lx0X/v2aAxDN/show?articleid=13541 HTTP/1.1" 319 [03/Feb/2010:03:00:22 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/za_Z/totLNZjxzaRhg3LejX/yw/J/rr/sJ/n2737713.htm HTTP/1.1" 314 [03/Feb/2010:03:04:08 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/z__Z/oooLNZ0ezaRhN3Lx0X/yw/J/r-/J/n2682762.htm HTTP/1.1" 313 [03/Feb/2010:03:07:55 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/Q__k/oooLNZjezaRhg9Lxjh/yw/J/I/s-/n2629727.htm HTTP/1.1" 313 [03/Feb/2010:03:12:12 +0900] 66.249.71.170 TLSv1 RC4-MD5 "GET /do/za_k/qbxzNYrJ4ILwD0yLNZjxzaAhN9Le0h/v2aAxDN/show?articleid=13933 HTTP/1.1" 315 以下延々と続く
ほんとにgoogle?
% whois 66.249.71.170 [Querying whois.arin.net] [whois.arin.net] OrgName: Google Inc. OrgID: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US NetRange: 66.249.64.0 - 66.249.95.255 CIDR: 66.249.64.0/19 NetName: GOOGLE NetHandle: NET-66-249-64-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: NS1.GOOGLE.COM 以下略
最初はDenyったら収まるだろうと思った。
Deny from 66.249.71.170
ところが数日待っても状況変わらず。
以前Yetiに絨毯爆撃くらったときはdenyしたら割とすぐ来なくなったんだけど。
Yeti >>>>> Googlebot
自分の巣にお帰り頂く事にした。
RewriteEngine On
RewriteCond %{REMOTE_ADDR} 66\.249\.71\.170
RewriteRule ^/(.*)$ http://google.com/$1 [R=301,L]
特に何もしてないんだけど、何でこんな事になったのやら。
というかrobots.txtすらガン無視するこのspam、実にうざい。
