IP Address Lookups for Addresses that were Blocked by FTP Dynamic IP Restrictions

Monday, November 30, 2009

A few months ago I wrote a blog post that was titled "Merging FTP Extensibility Walkthroughs - Part 2", where I described how to merge my FTP Dynamic IP Restrictions Authentication Provider walkthrough with my FTP Provider that Sends an Email when Files are Uploaded walkthrough. The result of this code combination was a custom FTP authentication provider that provides support for dynamic IP restrictions that sends me an email every time a new IP address is blocked. I deployed this custom FTP authentication provider on one of my public-facing FTP sites when I wrote the blog post, and in the three months that I have been using that provider it has blocked 88 IP addresses.

Recently it seems that every day I receive a new email that another IP address has been blocked. If you've seen my LogParser and other log-related blog posts you'll realize that I'm kind of a log analysis junkie, so I thought that it might be interesting to at least show something of a breakdown for the information that I've been seeing. For privacy reasons I can't distribute the list of IP addresses, so I'll just show a list of countries that I've seen in my dynamic IP restriction provider's SQL database since I deployed my provider.

The method that I employed for obtaining the location information was to write a couple of small scripts that dumped the list of IP addresses from my dynamic IP restriction provider's SQL database to a text file and then perform an IP address lookup to count the various countries from where the various hacking attempts have been originating. This gave me the following country-by-country information:

Country Total

UNITED STATES 23

CHINA 20

[unknown] 15

GERMANY 5

REPUBLIC OF KOREA 4

FRANCE 3

CZECH REPUBLIC 3

SPAIN 3

POLAND 2

BRAZIL 1

CYPRUS 1

SAUDI ARABIA 1

ARGENTINA 1

NETHERLANDS 1

JAPAN 1

THAILAND 1

SWITZERLAND 1

UKRAINE 1

INDIA 1

Total 88

Country	Total
UNITED STATES	23
CHINA	20
[unknown]	15
GERMANY	5
REPUBLIC OF KOREA	4
FRANCE	3
CZECH REPUBLIC	3
SPAIN	3
POLAND	2
BRAZIL	1
CYPRUS	1
SAUDI ARABIA	1
ARGENTINA	1
NETHERLANDS	1
JAPAN	1
THAILAND	1
SWITZERLAND	1
UKRAINE	1
INDIA	1
Total	88

I can't give out the name of the site that I used for the IP lookups, but there are several IP locator, geotargeting, or IP mapping sites available; a simple Internet search should provide you with a list of those sites. Once I choose one of those sites, writing a script to pull the IP addresses from my dynamic IP restriction provider's SQL database and perform the lookup was simple. The code that I wrote for the IP lookups was in VBScript, which I have included below. To use this script, you would need to populate a file named "IP_Addresses.txt" with the IP addresses to query, change the value of IP_LOOKUP_STUB in the example below to one of the available IP lookup URLs, then run the script, which will create a file named "IP_Addresses.log" with the resulting IP lookup information:

' ****************************************
Option Explicit

' ****************************************
Const MAX_ATTEMPTS   = 10    ' the number of times to keep retrying to get a file
Const FAILURE_SLEEP  = 1000  ' the number of milliseconds to sleep between retries
Const SUCCESS_SLEEP  = 1000  ' the number of milliseconds to sleep between successes
Const IP_LOOKUP_STUB = "http://www.example.com/page?ip="

' ****************************************
Dim objFSO
Dim objFile
Dim strLookupURL

' ****************************************
Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("IP_Addresses.txt")
Do While Not objFile.AtEndOfStream
  strLookupURL = IP_LOOKUP_STUB & Trim(objFile.ReadLine)
  Call IpLookup(strLookupURL)
Loop
objFile.Close
WScript.Quit

' ****************************************
Function IpLookup(tmpURL)
  On Error Resume Next
  Dim intTempAttempt
  Dim blnTempStatus
  Dim objTempFSO
  Dim objTempFile
  Set objTempFSO = CreateObject("Scripting.FileSystemObject")
  blnTempStatus = False
  Dim objHTTP
  Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
  For intTempAttempt = 1 To MAX_ATTEMPTS
    objHTTP.Open "GET", tmpURL, False
    objHTTP.Send
    If (objHTTP.Status = 200) Then
      If Err.Number = 0 Then
        blnTempStatus = True
        Set objTempFile = objTempFSO.OpenTextFile("IP_Addresses.log",8,True)
        objTempFile.WriteLine String(80,"=")
        objTempFile.WriteLine tmpURL
        objTempFile.WriteLine objHTTP.responseText
        objTempFile.Close
        Exit For
      End If
    End If
    WScript.Sleep FAILURE_SLEEP * intTempAttempt
  Next
  Set objHTTP = Nothing
  IpLookup = blnTempStatus
End Function

If you would rather use managed-code, a great example that you could use as a starting point is the KBSoft IP Locator example by Alexandr Golovanov, which also includes the URLs for a couple of IP locator services. Sometime in the future I think that I might write an ASP.NET application that replaces the VBScript code with a web-based interface, or I might add the IP locator logic to my dynamic IP restriction provider in an asynchronous function so that I have the information readily available whenever I want, but for the moment I'm content with my low-tech solution. ;-]

No Comments