[wplug-internet] Wiki under persistent attack from China

Vance Kochenderfer vkochend at nyx.net
Fri May 3 23:51:57 EDT 2013


Over the past few days, I've blocked a few dozen more /16s on the
wiki.  It seems all of Fujian Province wants to create accounts
(but oddly, they don't want to actually post anything).

Although MediaWiki records the IP address someone used to
register, it does not display this information in its logs.  You
can view it by connecting to the database (see details in
/home/board/mediawiki-info) and running the following query:

  SELECT rc_timestamp,rc_user_text,rc_ip FROM recentchanges
  ORDER BY rc_timestamp DESC LIMIT 20;

You can of course alter the LIMIT clause to show as many entries
as you like.

If you're seeing multiple robot accounts coming from the same
netblock (use whois to verify it's from the same network), you can
go to the Block User page and enter in an IP range in the CIDR
form 27.159.0.0/16 (note that a /16 is the largest netblock you
can specify; smaller ones are OK).

Only do this for non-U.S. netblocks; there are unlikely to be any
legitimate users of the wiki coming from overseas.  For domestic
addresses, try to be more discriminating to avoid collateral
damage.  Often it will just be a single IP address or a small set
of addresses - block these one by one.

Normally these should be temporary blocks.  If the problem returns
from a particular source once its block expires, we can consider
making it permanent.

Vance Kochenderfer        |  "Get me out of these ropes and into a
vkochend at nyx.net          |   good belt of Scotch"    -Nick Danger


More information about the wplug-internet mailing list