Official eMule-Board: Weird Kad Nodes Id - Official eMule-Board

Jump to content


  • (5 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • 5

Weird Kad Nodes Id

#41 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 19 September 2011 - 11:48 PM

I think it's either a Chinese governmental organisation or one or more of the Chinese companys behind verycd, easymule, thunder etc. In the former case it's about gathering/tracking information and preventing it to be spread and in the second case it's plain greed plus the fact that they most likely have been obliged by the governement to add restrictions on their own clients.
It's not unlikely that they are cooperating too. It's common around the world that companys works hand in hand with intelligence organisations. Unfortunately, my knowledge about China and Chinese cultural habits could be better, but I'd be a bit surprised if the same doesn't hold there. It could even be that, those Chinese companys are owned by and run by Chinese intelligence.

I think we can rule out Anti-P2P organisations and Scientific researchers by know.



Looks like some of the ID's that was attacked yesterday isn't attacked today. Many others still are, though. Perhaps they are running a round-robin on the list of blacklisted keywords?

This post has been edited by Nissenice: 19 September 2011 - 11:49 PM

0

#42 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 21 September 2011 - 12:48 PM

More actively filtered keywords. All found clustered together in a small part of the castrate donkey's beta filter keyword list. :D

(Filtered keyword) = (Googles english translation)

小室友里 = 'Roommates in a small' (chinese) alt. 'Yuri Komuro' (japanese)
饭岛爱 = 'Ai Iijima' (= this one? http://en.wikipedia.org/wiki/Ai_Iijima ?)
夕树舞子 = 'Maiko evening tree'.
青沼知朝 = 'Knowledge morning Aonuma'.
小泽圆 = 'Xiao Zeyuan'.
白石瞳 = 'Hitomi Shiraishi'.
金泽文子 = '金泽文 child'` ?= 'Jin Zewen' + 'child' ?
及川奈央 = 'And Kawana Central'.
古都光 = 'Ancient light'.
苍井空 = 'Aoi'.
吉泽明步 = 'Akiho'.
松岛枫 = 'Matsushima Feng'.
小泽玛莉亚 = 'Leah Ozawa'.

This post has been edited by Nissenice: 21 September 2011 - 12:56 PM

0

#43 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 25 September 2011 - 09:27 PM

I was about to run some tests and just found out they have stopped for now. Isn't that typical? :cry:
0

#44 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 495
  • Joined: 22-November 04

Posted 26 September 2011 - 05:18 AM

Since you published some details here, it's natural that they do some counter-actions.

However, don't worry, they will do it again for sure. You can just wait, that's all.
0

#45 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 26 September 2011 - 10:39 AM

Well, I'm good at waiting, so there's no need for them to speed things up. :angelnot:

This post has been edited by Nissenice: 26 September 2011 - 10:41 AM

0

#46 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 20 October 2011 - 12:54 AM

View PostNissenice, on 14 September 2011 - 08:23 PM, said:

Those Kad attackers have moved to a different set of IP-ranges. Here's the new IP's to block:

58.22.20.0 - 	58.22.23.255, 		0, 	CHN_Kad_Attack
61.241.220.0 - 	61.241.223.255, 	0, 	CHN_Kad_Attack
112.111.12.0 - 	112.111.15.255, 	0, 	CHN_Kad_Attack
112.111.36.0 - 	112.111.39.255, 	0, 	CHN_Kad_Attack
112.111.52.0 - 	112.111.55.255, 	0, 	CHN_Kad_Attack
124.162.72.0 - 	124.162.79.255, 	0, 	CHN_Kad_Attack
175.42.8.0 - 	175.42.11.255, 		0, 	CHN_Kad_Attack
220.249.164.0 - 220.249.171.255, 	0, 	CHN_Kad_Attack
220.250.40.0 - 	220.250.43.255, 	0, 	CHN_Kad_Attack


They have moved to yet another set of IP's. I'm not sure if these ranges cover all them. Time will show.

58.212.0.0 -	58.212.0.255,		0,      CHN_Kad_Attack
58.212.1.0 -	58.212.1.255,		0,      CHN_Kad_Attack
58.212.24.0 -	58.212.24.255,		0,      CHN_Kad_Attack
58.212.25.0 -	58.212.25.255,		0,      CHN_Kad_Attack
58.212.26.0 -	58.212.26.255,		0,      CHN_Kad_Attack
58.212.27.0 -	58.212.27.255,		0,      CHN_Kad_Attack
58.212.33.0 -	58.212.33.255,		0,      CHN_Kad_Attack
58.212.36.0 -	58.212.36.255,		0,      CHN_Kad_Attack

117.88.130.0 -	117.88.130.255,		0,      CHN_Kad_Attack

121.229.31.0 -	121.229.31.255,		0,      CHN_Kad_Attack

121.237.110.0 -	121.237.110.255,	0,      CHN_Kad_Attack
121.237.111.0 -	121.237.111.255,        0,      CHN_Kad_Attack

222.94.49.0 -	222.94.49.255,		0,      CHN_Kad_Attack
222.94.52.0 -	222.94.52.255,		0,      CHN_Kad_Attack
222.94.53.0 -	222.94.53.255,		0,      CHN_Kad_Attack
222.94.54.0 -	222.94.54.255,		0,      CHN_Kad_Attack
222.94.58.0 -	222.94.58.255,		0,      CHN_Kad_Attack
222.94.59.0 -	222.94.59.255,		0,      CHN_Kad_Attack
222.94.61.0 -	222.94.61.255,		0,      CHN_Kad_Attack
222.94.236.0 -	222.94.236.255,		0,      CHN_Kad_Attack

0

#47 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 22 October 2011 - 12:54 AM

Also:

121.229.63.0 -  121.229.63.255,         0,      CHN_Kad_Attack
222.94.56.0 -   222.94.56.255,          0,      CHN_Kad_Attack
222.94.60.0 -   222.94.60.255,          0,      CHN_Kad_Attack


[Edit] ...plus..:
117.88.131.0 -  117.88.131.255,         0,      CHN_Kad_Attack
121.237.108.0 - 121.237.108.255,        0,      CHN_Kad_Attack
121.237.109.0 - 121.237.109.255,        0,      CHN_Kad_Attack
222.94.48.0 -   222.94.48.255,          0,      CHN_Kad_Attack
222.94.57.0 -   222.94.57.255,          0,      CHN_Kad_Attack
222.94.237.0 -  222.94.237.255,         0,      CHN_Kad_Attack
[/Edit]

This post has been edited by Nissenice: 26 October 2011 - 10:35 PM

0

#48 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 28 October 2011 - 05:43 PM

Never mind... now they are back here:

123.116.144.0 – 123.116.147.255,        0,	CHN_Kad_Attack
123.116.152.0 – 123.116.155.255,        0,	CHN_Kad_Attack

123.117.160.0 – 123.117.163.255,        0,	CHN_Kad_Attack
123.117.164.0 – 123.117.167.255,        0,	CHN_Kad_Attack
123.117.168.0 – 123.117.171.255,        0,	CHN_Kad_Attack
123.117.172.0 – 123.117.175.255,        0,	CHN_Kad_Attack
123.117.176.0 – 123.117.179.255,        0,	CHN_Kad_Attack
123.117.180.0 – 123.117.183.255,        0,	CHN_Kad_Attack
123.117.184.0 – 123.117.187.255,        0,	CHN_Kad_Attack
123.117.188.0 – 123.117.191.255,        0,	CHN_Kad_Attack

123.121.168.0 – 123.117.171.255,        0,	CHN_Kad_Attack

This post has been edited by Nissenice: 28 October 2011 - 05:53 PM

0

#49 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 495
  • Joined: 22-November 04

Posted 28 October 2011 - 08:54 PM

I hope the developers can find a way to counter-attack those behaviors, at least cease the spread of those bad kad nodes to make it less effect.
0

#50 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 29 October 2011 - 10:40 AM

They are probably working on it. Anyway I'm not worried, I can think of several counter measures.
Question as I see it is if one should use a tack hammer first or go for the sledge hammer alternative right away. :D
Also, care needs to be taken so that the solution does not introduce new types of attacks.


Here is an example of a tack hammer solution, if I'm not way out:

Identified attacking nodes near a targeted ID is treated like the nodes with ID repetition. Not more than one is picked during a lookup and at most one is added to the routing table. Additionally when asking an attacking node for closer nodes to a target a limit is set for the number of hops, e.g. to one or maybe two.
This would most likely mean that the attackers change their behavior so we also need to make sure that attacking nodes is not asked first when search requests are sent to eliminate their possiblity to fill up the search responses with 300 answers of garbage.

Not the prettiest solution, but I think it should work. Well, at least up to a limit.


To add:
123.116.148.0 – 123.116.151.255,        0,      CHN_Kad_Attack
123.116.156.0 – 123.116.159.255,        0,      CHN_Kad_Attack

This post has been edited by Nissenice: 29 October 2011 - 10:42 AM

0

#51 User is offline   inmemory 

  • Member
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 30-July 09

Posted 31 October 2011 - 04:00 AM

Recently I found some weird nodes, after a long time observation and investigation, I thought it's because more and more chinese people used some KAD/ED2k search tools so-called "p2psearcher" or any other names like: "BeyondSearch", "BreakPrisonSearch", "Hornet Search", "Super Search" and so on.

Posted Image
Posted Image
Posted Image
Posted Image


These so-called "p2psearcher" tools cannot sharing any files and only have search function, but connect to ed2k servers and create kad nodes, you can imagine what it dose mean in ed2k/kad network, Chinese people have a large amount. Aslo I think it could explain why in China the increasing peers have a large number recently.

These tools have differnet names but most have similar GUI, just like be made or sponsored by same people or organization (I guessed xunlei (a chinese leeching tool), because most of these tools advertising or suggesting xunlei to leeching).

Because of several years cheating(eg. in Chinese web search engine Baidu) and misinformation made by chinese company verycd (now as a subsidiary of xunlei), most of Chinese people didn't know official emule, of courese didn't know emule's original ed2k/kad search function. All of these "p2psearcher" tools appeared after verycd removed ed2k/kad search function in their "easymule" (a mod of emule which most chinese people used and thought it as official emule), so my personal point is: xunlei and verycd did not want their people find, discover and know "real official emule", so they built or sponsor these tools and distributed them in chinese social network, tricked chinese people and prevent chinese people leave their ad-aware "xunlei" or "easymule".


I didn't know if the ed2k servers' master mind their servers full of these never sharing and fake "clients", but as a user I will never like these nodes fill my nodes list. Bad thing is, I didn't think there is any way to distinguish between real emule clients and these so-called "p2psearcher" tools, any idea?

This post has been edited by inmemory: 31 October 2011 - 04:12 AM

0

#52 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 10 December 2011 - 05:33 PM

View Postinmemory, on 31 October 2011 - 05:00 AM, said:

Recently I found some weird nodes, after a long time observation and investigation, I thought it's because more and more chinese people used some KAD/ED2k search tools so-called "p2psearcher" or any other names like: "BeyondSearch", "BreakPrisonSearch", "Hornet Search", "Super Search" and so on.

Sorry for this late reply, but I think I was too occupied with what I myself was doing at the time you posted this and then I forgot about it.

Can you describe what you found weird about those nodes and what made you think it was related to these search tools?


inmemory said:

These so-called "p2psearcher" tools cannot sharing any files and only have search function, but connect to ed2k servers and create kad nodes, you can imagine what it dose mean in ed2k/kad network, Chinese people have a large amount. Aslo I think it could explain why in China the increasing peers have a large number recently.

These tools have differnet names but most have similar GUI, just like be made or sponsored by same people or organization (I guessed xunlei (a chinese leeching tool), because most of these tools advertising or suggesting xunlei to leeching).

Because of several years cheating(eg. in Chinese web search engine Baidu) and misinformation made by chinese company verycd (now as a subsidiary of xunlei), most of Chinese people didn't know official emule, of courese didn't know emule's original ed2k/kad search function. All of these "p2psearcher" tools appeared after verycd removed ed2k/kad search function in their "easymule" (a mod of emule which most chinese people used and thought it as official emule), so my personal point is: xunlei and verycd did not want their people find, discover and know "real official emule", so they built or sponsor these tools and distributed them in chinese social network, tricked chinese people and prevent chinese people leave their ad-aware "xunlei" or "easymule".


I didn't know if the ed2k servers' master mind their servers full of these never sharing and fake "clients", but as a user I will never like these nodes fill my nodes list. Bad thing is, I didn't think there is any way to distinguish between real emule clients and these so-called "p2psearcher" tools, any idea?

Well I can imagine what it will do when it comes to ed2k-servers. I believe it will be the end for IPs in mainland China to be able to connect to servers. Afaik the people running these servers can't update their software and the easiest solution for them if they found their servers abused is to block all IPs in China.

When it comes to Kad, I think the abusers are shooting themselves in feet and knee in their tries to get benefits.
The most proper counter action probably would be to add checks to make sure that a node is acting as a proper node. But this will cost more or less bandwidth (overhead), depending on how sure we want to be about a node's thruthfulness. Personally, I think there are other actions that can be almost as useful, which will make them - s u f f e r. :devil:
0

#53 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 10 December 2011 - 09:00 PM

View PostSome Support, on 07 January 2011 - 11:47 AM, said:

Again i also already wrote that this attack is kinda easy to detect with some improvements, because the IDs are too close together and every client can figure that out. Of course the question remains what to do after knowing that those are fake nodes. I think one of the research papers had just this as topic, didn't get arround to read it completly yet, but will do by time.

An easy way out and an effective one too, I believe, would be to make the checks and when the checks turns out sucessful a statement about it is put in the verbose log, so that it can be read by e.g. developers, people managing ipfilters and others.
The advantage with this is that with almost no effort from our side quite a lot of damage can be done to the attackers. I doubt they would be thrilling happy when dragged from darkness out into the light.
It would also give us an oppurtunity to see how far they are willing to go, how much more resources they are willing to spend.


View PostSome Support, on 17 January 2011 - 10:59 PM, said:

Also, if indeed china itself (or someone bound to china) is doing serious attacks, the solution is fairly simple: We could just block all NodeIDs from chinese IPs. Chinese users could still use Kad, they would be jsut not used for routing tasks anymore. Of course this only works if the Kad network doesn't consists of too many Chinese (more than 30% would be bad, unfortunatly i really dont have any stats on this right now) users or the load for the rest of the network would become too big.
Of course that would really only be the last defence if everything else fails and they really do disrupt the network considerably.

As a start we could set restrictions on how many NodeIDs from Chinese IPs should be allowed in routing tables. For example if we limit the number of Chinese IPs in every routing bin to for instance 3 nodes (maybe with some exceptions for those bins with IDs close to own ID) then we would have at least an upper limit on how many Chinese nodes the routing table would host.
This wouldn't help against the node insertion attack they are performing. But it would rule out the possibility for them, with chinese IPs, to take over almost a hole routing table as the picture in post #1 is suggesting.

Also, there could be restrictions on how many NodeIDs from China we are trying to add to the routing table at one and the same time. For instance when receiving a Kademlia2_Response we could set the limit so that at most one randomly chosen is tested against the routing table. This would certainly hurt the attackers a bit as they prefer to inject 2 or 4 nodes, depending on the request, as much as they can. You only need to say the magic keywords and you are as most vulnerable when the client just started and the routing table is filling up.

Now if they are still obedient and not learning their lesson then we could strengthen the restrictions to 2 nodes/bin and after that we all have got used to it and the step towards zero doesn't look that huge any more...

Now even if this wouldn't suit the vanilla client, it might be suitable for mods. For a client with ip to country already implemented the changes are not much of an effort.

This post has been edited by Nissenice: 10 December 2011 - 09:10 PM

0

#54 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 28 December 2011 - 11:50 AM

If you are finding that your uploads seem to behaving a bit strange today then a reason for this could be that the Chinese attackers seem to have changed strategy.



Posted Image

(The picture is from a client with no files in transfer, so the uploads seen here are only related to Kad)



Starting this morning there are coordinated activities from Chinese IPs (unless they are spoofed). What's happening is that the same search keyword request is sent from many different IPs at basically the same time and this is repeated in a periodic pattern.

The IPs used are, from what I can see, basically the same that have been used since the start of this thread with the difference that now they are using them all at the same time.
The IPs I've seen so far today can be found in these /8 subnet ranges: 58.17.xx.xx, 119.85.xx.xx, 123.116.xx.xx, 123.117.xx.xx, 123.121.xx.xx, 123.144.xx.xx, 123.145.xx.xx, 124.162.xx.xx, 125.80.xx.xx, 125.82.xx.xx, 125.84.xx.xx.


EDIT: added 119.85.xx.xx.

This post has been edited by Nissenice: 29 December 2011 - 10:22 AM

0

#55 User is offline   Some Support 

  • Last eMule
  • PipPipPipPipPipPipPip
  • Group: Yes
  • Posts: 3630
  • Joined: 27-June 03

Posted 28 December 2011 - 07:52 PM

Not sure if I see the point (if there is any yet). Maybe evaluating the success of others attacks or gathering target IDs for new attacks...

#56 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 29 December 2011 - 10:20 AM

Yes it seems a bit odd. I'm a bit busy right now plus that we have guests in the house so I haven't had much time to look at it yet. But one reason why it appeared as it did in the picture above was probably that my KadID was relatively close to an ID they are targeting. I assume the number of requests decreases when the distance to the targeted ID increases. So far I can't either come to another conclusion than it's a check to see how succesful the attack is or something like that.

From what I can see at a glance their attacking efforts have definately increased and more IPs are used. The attacking nodes seem to be mainly hosted at 125.80.xx.xx, 125.82.xx.xx, 125.84.xx.xx and 119.85.xx.xx and as earlier 4 attacking nodes are used to guard an attacked ID. But some IDs seems to be attacked by 8 nodes. Here is an example:

2011-12-29 07:23:18: Kad: Out request for opcode 0x21 to IP 125.82.27.28:14822  NodeID = F50530BB708E19F8411EEACBFB4458A1  Version = 8
2011-12-29 07:23:18: Kad: Out request for opcode 0x21 to IP 123.116.157.137:14607  NodeID = F50530BB71BD83F54A0A4BD097EBDC08  Version = 8
2011-12-29 07:23:21: Kad: Out request for opcode 0x21 to IP 125.82.4.202:14695  NodeID = F50530BB74E6D9CF93B11C3869D0ADEE  Version = 8
2011-12-29 07:23:24: Kad: Out request for opcode 0x21 to IP 119.85.109.120:14818  NodeID = F50530BB75EAC6D99A1AD3EC8DCCFABF  Version = 8
2011-12-29 07:23:25: Kad: Out request for opcode 0x21 to IP 123.117.185.155:14607  NodeID = F50530BB762AD304F2CD966CF1B59685  Version = 8
2011-12-29 07:23:26: Kad: Out request for opcode 0x21 to IP 123.117.184.246:14607  NodeID = F50530BB76F6CED47E0C61F754BE08C6  Version = 8
2011-12-29 07:23:27: Kad: Out request for opcode 0x21 to IP 119.85.97.111:14818  NodeID = F50530BB77A0AD529708566BD437D463  Version = 8
2011-12-29 07:23:28: Kad: Out request for opcode 0x21 to IP 123.116.159.203:14607  NodeID = F50530BB77F2ACEC0C63AC76D36A19D6  Version = 8

0

#57 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 31 December 2011 - 03:40 PM

I can see an indication that suggests that they have not based their coding on eMule's open source code and probably not aMule's source code either. Namely because some search requests are sent to nodes where the requested IDs and the asked nodes IDs are not in the same tolerance zone.

This is not an uncommon behavior for clients hosted in China but it is rare from other places in the world.

Here is an example where the requested ID starts with 41... (41B6DA22086B2FED8F8F44111789B9CF is an attacked key ID).

2011-12-28 15:27:16: Kad: Request for opcode 0x21 (0x21) from IP 123.145.197.50:14501  ID = 41B6DA22086B2FED8F8F44111789B9CF
2011-12-28 15:27:20: Kad: Request for opcode 0x33 (0x33) from IP 123.145.197.50:14501  ID = 41B6DA22086B2FED8F8F44111789B9CF  - Wrong tolerance zone!

My own KadID used here doesn't start with 41..., actually it doesn't even start with a 4... :-k

This post has been edited by Nissenice: 31 December 2011 - 03:52 PM

0

#58 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 18 September 2012 - 12:04 AM

I hadn't checked for a long time until last night when I noticed there was quite some activity in the IP logs. Here are the new IP-ranges the Chinese Kad abusers are using at this moment. As far as I can see some of the old previously reported IP-ranges are also still in use. See older posts for those.

Anyway here are the new ones.

14.135.96.0 - 14.135.99.255					/* 24-Feb */

14.135.208.0 - 14.135.215.255

36.248.20.0 - 36.248.23.255

36.248.100.0 - 36.248.103.255

36.248.124.0 - 36.248.127.255		/* 14-Jan */

36.251.44.0 - 36.251.47.255		/* 21-Jan */

42.228.64.0 - 42.228.67.255			/* 9-Feb */
42.228.68.0 - 42.228.71.255			/* 9-Feb */

58.16.30.0 - 58.16.31.255

58.16.64.0 - 58.16.67.255

58.19.16.0 - 58.19.19.255

58.22.20.0 - 58.22.23.255

58.20.64.0 - 58.20.67.255

58.20.96.0 - 58.20.99.255

58.59.192.0 - 58.59.207.255

58.212.0.0 - 58.212.3.255

58.212.32.0 - 58.212.35.255

58.242.208.0 - 58.242.223.255

58.243.224.0 - 58.243.227.255

59.52.104.0 - 59.52.107.255

59.52.144.0 - 59.52.144.255

59.52.228.0 - 59.52.228.255

59.53.130.0 - 59.53.131.255

59.53.248.0 - 59.53.251.255		/* 14-Jan */
59.53.252.0 - 59.53.255.255

59.55.136.0 - 59.55.136.255		/* 21-Jan */

59.63.127.0 - 59.63.127.255		/* 21-Jan */

59.174.44.0 - 59.174.47.255

59.174.188.0 - 59.174.188.255		/* 14-Jan */
59.174.189.0 - 59.174.189.255
59.174.190.0 - 59.174.191.255		/* 14-Jan */


59.174.192.0 - 59.174.195.255
59.174.196.0 - 59.174.199.255

60.0.0.0 - 60.0.3.255

60.0.46.0 - 60.0.47.255			/* 21-Jan */

60.1.84.0 - 60.1.87.255

60.1.168.0 - 60.1.171.255

60.16.0.0 - 60.16.15.255

60.166.224.0 - 60.166.255.255

61.180.108.0 - 61.180.109.255		/* 21-Jan */

60.186.104.0 - 60.186.111.255

61.52.48.0 - 61.52.51.255			/* 9-Feb */
61.52.52.0 - 61.52.79.255

61.55.208.0 - 61.55.208.255			/* 9-Feb */

61.187.0.0 - 61.187.3.255

61.241.220.0 - 61.241.223.255

101.68.4.0 - 101.68.7.255		/* 14-Jan */

101.68.124.0 - 101.68.127.255

110.16.200.0 - 110.16.207.255

110.17.144.0 - 110.17.147.255		/* 14-Jan */
110.17.148.0 - 110.17.149.255		/* 14-Jan */
110.17.150.0 - 110.17.151.255
110.17.152.0 - 110.17.155.255		/* 14-Jan */
110.17.156.0 - 110.17.159.255		/* 14-Jan */

110.52.192.0 - 110.52.199.255

110.228.28.0 - 110.228.31.255

110.228.76.0 - 110.228.79.255

110.228.124.0 - 110.228.127.255	

110.228.204.0 - 110.228.207.255

110.240.4.0 - 110.240.7.255

110.240.96.0 - 110.240.99.255

110.240.120.0 - 110.240.123.255		/* 14-Jan */
110.240.124.0 - 110.240.127.255

110.240.152.0 - 110.240.155.255

110.249.0.0 - 110.249.7.255

110.249.115.0 - 110.249.115.255		/* 14-Jan */

111.73.216.0 - 111.73.219.255

111.76.232.0 - 111.76.235.255

111.78.68.0 - 111.78.71.255					/* 24-Feb */

111.85.128.0 - 111.85.131.255
111.85.132.0 - 111.85.135.255
111.85.136.0 - 111.85.137.255
111.85.138.0 - 111.85.139.255		/* 14-Jan */
111.85.140.0 - 111.85.143.255		/* 14-Jan */
111.85.144.0 - 111.85.147.255
111.85.148.0 - 111.85.151.255			/* 9-Feb */
111.85.152.0 - 111.85.155.255			/* 9-Feb */
111.85.156.0 - 111.85.159.255

111.112.80.0 - 111.112.87.255

111.113.24.0 - 111.113.27.255

111.113.68.0 - 111.113.71.255

111.113.80.0 - 111.113.95.255

111.113.112.0 - 111.113.119.255

111.113.160.0 - 111.113.175.255

111.113.224.0 - 111.113.231.255

111.162.136.0 - 111.162.147.255

112.66.0.0 - 112.66.95.255

112.67.192.0 - 112.67.223.255

112.80.132.0 - 112.80.139.255

112.80.212.0 - 112.80.219.255

112.111.12.0 - 112.111.15.255

112.111.52.0 - 112.111.55.255		/* 21-Jan */

113.12.4.0 - 113.12.7.255

113.12.140 - 113.12.143.255

113.12.216.0 - 113.12.219.255

113.16.48.0 - 113.16.51.255			/* 9-Feb */

113.57.76.0 - 113.57.79.255					/* 24-Feb */

113.58.224.0 - 113.58.247.255

113.132.0.0 - 113.132.3.255

113.132.176.0 - 113.132.179.255

113.135.96.0 - 113.135.99.255		/* 14-Jan */

113.240.0.0 - 113.240.3.255

113.240.116.0 - 113.240.119.255

113.240.156.0 - 113.240.159.255

113.240.172.0 - 113.240.175.255		/* 21-Jan */
113.240.176.0 - 113.240.183.255

113.240.188.0 - 113.240.191.255
113.240.192.0 - 113.240.195.255		/* 21-Jan */

113.240.216.0 - 113.240.219.255	

113.246.124.0 - 113.246.127.255

113.247.12.0 - 113.247.19.255

114.97.64.0 - 114.97.95.255

115.148.152.0 - 115.148.155.255

115.148.164.0 - 115.148.167.255

115.150.220.0 - 115.150.223.255

115.152.94.0 - 115.152.95.255

115.192.208.0 - 115.192.215.255

115.200.232.0 - 115.200.239.255

115.204.88.0 - 115.204.95.255

115.205.0.0 - 115.205.7.255

116.1.208.0 - 116.1.211.255

116.113.36.0 - 116.113.39.255					/* 24-Feb */
116.113.40.0 - 116.113.43.255		/* 21-Jan */

116.113.48.0 - 116.113.51.255		/* 14-Jan */
116.113.52.0 - 116.113.55.255			/* 9-Feb */
116.113.56.0 - 116.113.59.255			/* 9-Feb */
116.113.60.0 - 116.113.63.255					/* 24-Feb */
116.113.64.0 - 116.113.67.255					/* 24-Feb */
116.113.68.0 - 116.113.71.255			/* 9-Feb */
116.113.72.0 - 116.113.75.255			/* 9-Feb */
116.113.76.0 - 116.113.79.255					/* 24-Feb */

116.114.64.0 - 116.114.67.255			/* 9-Feb */
116.114.68.0 - 116.114.75.255
116.114.76.0 - 116.114.79.255			/* 9-Feb */

116.252.48.0 - 116.252.51.255

116.252.76.0 - 116.252.79.255

117.14.144.0 - 117.14.159.255

117.22.120.0 - 117.22.121.255

117.22.136.0 - 117.22.137.255

117.22.144.0 - 117.22.144.255

117.22.186.0 - 117.22.187.255

117.32.136.0 - 117.32.137.255

117.32.188.0 - 117.32.189.255

117.32.234.0 - 117.32.235.255

117.35.164.0 - 117.35.167.255		/* 14-Jan */

117.36.46.0 - 117.36.47.255

117.39.6.0 - 117.39.7.255		/* 14-Jan */

117.39.24.0 - 117.39.25.255		/* 14-Jan */

117.40.3.0 - 117.40.3.255			/* 9-Feb */

117.40.96.0 - 117.40.97.255

117.43.66.0 - 117.43.67.255

117.43.150.0 - 117.43.150.255			/* 9-Feb */

117.45.8.0 - 117.45.9.255		/* 21-Jan */

117.88.128.0 - 117.88.131.255

118.81.0.0 - 118.81.15.255

118.81.236.0 - 118.81.239.255

118.249.48.0 - 118.249.51.255

118.249.84.0 - 118.249.87.255

118.249.140.0 - 118.249.143.255	

118.250.120.0 - 118.250.123.255

119.39.84.0 - 119.39.99.255

119.85.96.0 - 119.85.111.255

119.108.144.0 - 119.108.160.255

119.119.176.0 - 119.119.191.255

119.248.40.0 - 119.248.43.255

119.248.52.0 - 119.248.55.255

119.248.103.0 - 119.248.103.255		/* 14-Jan */

120.0.204.0 - 120.0.207.255

120.1.112.0 - 120.1.116.255

121.28.216.0 - 121.28.219.255

121.29.176.0 - 121.29.191.255

121.29.199.0 - 121.29.199.255			/* 9-Feb */

121.31.16.0 - 121.31.19.255		/* 14-Jan */

121.31.40.0 - 121.31.43.255

121.31.48.0 - 121.31.51.255

121.31.60.0 - 121.31.63.255

121.229.28.0 - 121.229.31.255

121.229.60.0 - 121.229.63.255

122.96.12.0 - 122.96.23.255

122.96.124.0 - 122.96.127.255

122.233.176.0 - 122.233.180.255

122.235.188.0 - 122.235.191.255

123.6.160.0 - 123.6.175.255

123.14.24.0 - 123.14.31.255

123.14.120.0 - 123.14.127.255

123.14.248.0 - 123.14.255.255

123.116.144.0 - 123.116.159.255

123.117.160.0 - 123.117.191.255

123.121.168.0 - 123.121.175.255

123.138.84.0 - 123.138.87.255

123.139.76.0 - 123.139.79.255		/* 14-Jan */

123.139.100.0 - 123.139.103.255

123.139.122.0 - 123.139.123.255					/* 24-Feb */

123.144.160.0 - 123.144.175.255

123.145.160.0 - 123.145.199.255

123.157.192.0 - 123.157.195.255

123.158.48.0 - 123.158.51.255

123.158.56.0 - 123.158.63.255

124.88.52.0 - 124.88.55.255

124.88.92.0 - 124.88.95.255

124.89.118.0 - 124.89.119.255

124.90.48.0 - 124.90.51.255
124.90.52.0 - 124.90.55.255

124.114.8.0 - 124.114.11.255		/* 14-Jan */

124.114.168.0 - 124.114.171.255		/* 21-Jan */
124.114.172.0 - 124.114.173.255		/* 14-Jan */
124.114.174.0 - 124.114.175.255		/* 21-Jan */

124.115.160.0 - 124.115.161.255

124.160.236.0 - 124.160.239.255

124.227.136.0 - 124.227.139.255

125.41.44.0 - 125.41.47.255

125.41.96.0 - 125.41.99.255		/* 14-Jan */

125.41.181.0 - 125.41.181.255			/* 9-Feb */

125.76.160.0 - 125.76.163.255

125.76.177.0 - 125.76.177.255			/* 9-Feb */

125.80.224.0 - 125.80.255.255

125.82.0.0 - 125.82.3.255
125.82.4.0 - 125.82.7.255
125.82.8.0 - 125.82.11.255
125.82.12.0 - 125.82.15.255
125.82.16.0 - 125.82.19.255
125.82.20.0 - 125.82.23.255
125.82.24.0 - 125.82.27.255
125.82.28.0 - 125.82.31.255

125.84.176.0 - 125.84.191.255

125.118.0.0 - 125.118.7.255

125.119.8.0 - 125.119.15.255

125.119.220.0 - 125.119.223.255

125.120.60.0 - 125.120.63.255

125.120.76.0 - 125.120.79.255

150.255.0.0 - 150.255.11.255

150.255.32.0 - 150.255.35.255

150.255.80.0 - 150.255.83.255		/* 14-Jan */

150.255.108.0 - 150.255.111.255					/* 24-Feb */
150.255.112.0 - 150.255.115.255					/* 24-Feb */
150.255.116.0 - 150.255.119.255					/* 24-Feb */

171.36.8.0 - 171.36.23.255

171.36.40.0 - 171.36.43.255

171.36.152.0 - 171.36.155.255					/* 24-Feb */
171.36.156.0 - 171.36.159.255					/* 24-Feb */
171.36.160.0 - 171.36.163.255			/* 9-Feb */
171.36.164.0 - 171.36.167.255			/* 9-Feb */
171.36.168.0 - 171.36.171.255			/* 9-Feb */

171.36.208.0 - 171.36.211.255

171.36.232.0 - 171.36.235.255

171.36.248.0 - 171.36.251.255

171.37.48.0 - 171.37.51.255

171.37.128.0 - 171.37.135.255

171.37.140.0 - 171.37.143.255

171.37.176.0 - 171.37.179.255

171.37.216.0 - 171.37.219.255

171.116.144.0 - 171.116.147.255

171.117.8.0 - 171.117.11.255

171.117.204.0 - 171.117.207.255		/* 21-Jan */

175.17.192.0 - 175.17.207.255

175.42.8.0 - 175.42.11.255		/* 21-Jan */

175.184.160.0 - 175.184.163

180.136.168.0 - 180.136.171.255

180.136.224.0 - 180.136.227.255

180.136.252.0 - 180.136.255.255

180.139.148.0 - 180.139.151.255

182.87.76.0 - 182.87.76.255		/* 14-Jan */
182.87.77.0 - 182.87.77.255

182.88.16.0 - 182.88.23.255

182.88.114.0 - 182.88.115.255

182.88.208.0 - 182.88.211.255

182.108.12.0 - 182.108.15.255					/* 24-Feb */

182.119.72.0 - 182.119.79.255

182.119.192.0 - 182.119.199.255

182.119.224.0 - 182.119.231.255

183.94.24.0 - 183.94.27.255					/* 24-Feb */

183.128.216.0 - 183.128.223.255

183.184.24.0 - 183.184.31.255

183.184.80.0 - 183.184.83.255

183.184.176.0 - 183.184.179.255

183.185.224.0 - 183.185.227.255

211.97.108.0 - 211.97.109.255			/* 9-Feb */

218.9.192.0 - 218.9.193.255					/* 24-Feb */

218.10.48.0 - 218.10.51.255

218.10.60.0 - 218.10.63.255

218.11.16.0 - 218.11.19.255

218.65.108.0 - 218.65.108.255

218.87.74.0 - 218.87.74.255

218.107.20.0 - 218.107.23.255			/* 9-Feb */

219.140.141.0 - 219.140.141.255

219.144.172.0 - 219.144.175.255		/* 14-Jan */

219.155.44.0 - 219.155.45.255		/* 21-Jan */

219.155.208.0 - 219.155.215.255

219.157.192.0 - 219.157.199.255

220.169.16.0 - 220.169.19.255

220.173.0.0 - 220.173.19.255

220.175.98.0 - 220.175.99.255		/* 21-Jan */

220.175.132.0 - 220.175.133.255			/* 9-Feb */

220.249.164.0 - 220.249.167.255		/* 14-Jan */

220.250.40.0 - 220.250.43.255		/* 14-Jan */

221.11.4.0 - 221.11.7.255

221.192.52.0 - 221.192.55.255

221.204.60.0 - 221.204.63.255

221.204.144.0 - 221.204.151.255

221.205.136.0 - 221.205.139.255

221.207.32.0 - 221.207.35.255

222.84.88.0 - 222.84.91.255

222.91.78.0 - 222.91.79.255		/* 21-Jan */

222.91.88.0 - 222.91.89.255		/* 21-Jan */
222.91.90.0 - 222.91.90.255		/* 21-Jan */

222.94.48.0 - 222.94.63.255

222.94.236.0 - 222.94.239.255

222.216.184.0 - 222.216.187.255

222.240.68.0 - 222.240.71.255

222.244.108.0 - 222.244.111.255			/* 9-Feb */

222.244.252.0 - 222.244.255.255			/* 9-Feb */

222.247.88.0 - 222.247.91.255

222.247.136.0 - 222.247.139.255

222.247.176.0 - 222.247.179.255

222.247.200.0 - 222.247.203.255

222.247.208.0 - 222.247.215.255

:o


Edit 12 (14 January 2013): And yet more IP-ranges reported.

Edit 13 (21 January 2013): Updated with more IPs available to the cyber terrorists.

Edit 14 (9 February 2013): Updated again.

Edit 15 (24 February 2013): More IP-ranges hosting attacking nodes.

This post has been edited by Nissenice: 24 February 2013 - 09:15 PM

0

#59 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 21 September 2012 - 01:16 AM

Hi. FYI the list in previous post has been extended a little. :-k
1

#60 User is offline   Enig123 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 495
  • Joined: 22-November 04

Posted 22 September 2012 - 04:45 AM

Is it possible that it was caused by flawed clients?

I have observed log lines like this:

Quote

9/21/2012 9:42:07 PM: Ignored source (IP=112.80.xxx.xxx) received via source exchange - IP filter (CHN_Kad_Attack)


It looks like a real client.
0

  • Member Options

  • (5 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • 5

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users