Blocking Redstation Range

Portal Home > Knowledgebase > Articles Database > Blocking Redstation Range

Posted by Jesmarin, 05-03-2016, 09:50 AM
I am getting clickbomb attacks from following IPs. When I check by whois terminal command, they all get from redstation.co.uk. How can I find the IP ranges to block RedStation servers completely please? Cheers
Posted by net, 05-03-2016, 10:11 AM
Did you contact redstation about this? Probably a client abusing their network?
Posted by Jesmarin, 05-03-2016, 10:27 AM
Hello Thanks for your help. No I did not. The IPs continously change. There are more than 10 Ips in my firewall. I do not want to deal with them anymore and completely block Redstation. Is it wise to do that? And they say mostly abuse contact does not work. So I did not bother to send them mail. Cheers.
Posted by domainbop, 05-03-2016, 12:45 PM
You can find a list here: https://www.enjen.net/asn-blocklist/...62&type=iplist. If you're using CSF you can just enter their AS number AS35662 in CC_DENY. I would probably just initially block the 3 IPs you've received attacks from rather than blocking the entire AS because it would be less overhead on your server.
Posted by Jesmarin, 05-03-2016, 01:35 PM
Thank you very much domainbop for your help. Do you mind explaining how you get that AS number? Is it from whois command? Also I add those ranges into ip route blackhole so performance issue is minor I suppose.
Posted by domainbop, 05-03-2016, 02:02 PM
You can either use WHOIS from the command line or lookup the IP on a site like bgp.he.net to get the AS number.
Posted by Jesmarin, 05-03-2016, 02:06 PM
Thank you very much again domainbop for your help. bgp.he.net helped but there is no AS35662 info in whois 81.94.192.224 command output. Is not is always available for whois? It would be great to have a tool which could be used in terminal.
Posted by John-Noction, 05-03-2016, 03:36 PM
They are under the IOMART ASN these days I think and it would be a bit extreme to block all of IOMART, which I'm guessing must come at 400Gbit or so, over 3 IPs probing you. Contact their abuse team and have done with it. Providers generally take these things seriously and its a much bigger headache for them to clean up in the long run if they leave it.
Posted by SenseiSteve, 05-03-2016, 04:58 PM
Is it wise to do that? Not really, as replies earlier substantiate that. I do sympathise because this is the type of stuff that annoys all of us.
Posted by Jesmarin, 05-04-2016, 05:40 PM
Thank you very much for your all help. What if I report to abuse mails of the related hosting companies and they take down or block the outgoing network? Does not it make them switch another hosting company and increase their attack? Do hosting companies disclose the complainant?
Posted by Jesmarin, 05-04-2016, 05:41 PM
Thank you very much for your all help. What if I report to abuse mails of the related hosting companies and they take down or block the outgoing network? Does not it make them switch another hosting company and increase their attack? Do hosting companies disclose the complainant?