Solved

Determining Bots from IP addresses

Posted on 2013-11-04
2
598 Views
Last Modified: 2016-02-24
I have a load of ad traffic that is coming from suspected bots.  I do not use Google - this is via our own adserver.

I have 35,000 ad requestes of which 32,000 have come from just 14 IP addresses.  This leads me to suspect that it is bot traffic, however I wanted to try and find a test to prove this.

I have the following IP addresses:
86.138.33.163
81.152.90.196
2.100.248.214
90.244.38.87
82.39.117.105
86.29.101.167
86.149.231.103
2.221.46.25
82.26.240.24
213.249.135.36
86.129.5.190
81.106.59.5
81.133.58.48
94.0.128.74
89.241.88.120
86.135.209.252
2.219.38.165

Which I can determine their origin:


IP      Domain      Location
86.138.33.163      host86-138-33-163.range86-138.btcentralplus.com      United Kingdom flag United Kingdom
81.152.90.196      host81-152-90-196.range81-152.btcentralplus.com      United Kingdom flag United Kingdom, Y9, Porth
2.100.248.214      host-2-100-248-214.as13285.net      United Kingdom flag United Kingdom, J8, Nottingham
90.244.38.87      user-5af42657.broadband.tesco.net      United Kingdom flag United Kingdom, H9, London
82.39.117.105      cpc15-sgyl30-2-0-cust360.18-2.cable.virginm.net      United Kingdom flag United Kingdom, U8, Edinburgh
86.29.101.167      client-86-29-101-167.glfd.adsl.virginm.net      United Kingdom flag United Kingdom
86.149.231.103      host86-149-231-103.range86-149.btcentralplus.com      United Kingdom flag United Kingdom
2.221.46.25      02dd2e19.bb.sky.com      United Kingdom flag United Kingdom, L9, Sheffield
82.26.240.24      cpc3-basf8-2-0-cust23.12-3.cable.virginm.net      United Kingdom flag United Kingdom, J8, Nottingham
213.249.135.36      gateway.howden.press.net      United Kingdom flag United Kingdom, E1, Howden
86.129.5.190      host86-129-5-190.range86-129.btcentralplus.com      United Kingdom flag United Kingdom, H9, London
81.106.59.5      cpc9-ely05-2-0-cust4.5-1.cable.virginm.net      United Kingdom flag United Kingdom, X5, Cardiff
81.133.58.48      host81-133-58-48.in-addr.btopenworld.com      United Kingdom flag United Kingdom, H9, London
94.0.128.74      5e00804a.bb.sky.com      United Kingdom flag United Kingdom, U8, Edinburgh
89.241.88.120      host-89-241-88-120.as13285.net      United Kingdom flag United Kingdom, H3, Leeds
86.135.209.252      host86-135-209-252.range86-135.btcentralplus.com      United Kingdom flag United Kingdom, H9, London
2.219.38.165      02db26a5.bb.sky.com      United Kingdom flag United Kingdom, L2, Rochdale

Like I said I wanted to see if I can test if they are infected IPs.

A couple of thoughts.  Could I ping these IPs and analyse what comes back, i.e. bot traffic appears and disappears very quickly, so can I capture that?

Lost here, but any help - and please don't suggest Google analytics.

many thanks
0
Comment
Question by:eezar21
2 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 350 total points
ID: 39623043
Since these all seem to be home IP addresses there is not much you can do.
Is it possible someone is downloading your entire site (scraping)? Though that there is 14 IP's makes this less obvious to detect, maybe they are changing the IP, see below

You could block the IP but this is no guarantee as their IP may change when they turn off/on the router

Whether it is a scraper or bad bot you could create an honeypot for them to follow.
http://www.techjunkie.com/preventing-site-scraping/
Couldn't find a better example online, but the basics are there.
0
 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 150 total points
ID: 39623155
No virus writer is going to be stupid enough to configure a system to respond to ICMP echo (ping) requests.

Also you are assuming that all traffic is TCP, you probably also have UDP type traffic.

Just forget tracing, the IP numbers you see aren't going to be the correct destinations.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now