Solved

Determining Bots from IP addresses

Posted on 2013-11-04
2
625 Views
Last Modified: 2016-02-24
I have a load of ad traffic that is coming from suspected bots.  I do not use Google - this is via our own adserver.

I have 35,000 ad requestes of which 32,000 have come from just 14 IP addresses.  This leads me to suspect that it is bot traffic, however I wanted to try and find a test to prove this.

I have the following IP addresses:
86.138.33.163
81.152.90.196
2.100.248.214
90.244.38.87
82.39.117.105
86.29.101.167
86.149.231.103
2.221.46.25
82.26.240.24
213.249.135.36
86.129.5.190
81.106.59.5
81.133.58.48
94.0.128.74
89.241.88.120
86.135.209.252
2.219.38.165

Which I can determine their origin:


IP      Domain      Location
86.138.33.163      host86-138-33-163.range86-138.btcentralplus.com      United Kingdom flag United Kingdom
81.152.90.196      host81-152-90-196.range81-152.btcentralplus.com      United Kingdom flag United Kingdom, Y9, Porth
2.100.248.214      host-2-100-248-214.as13285.net      United Kingdom flag United Kingdom, J8, Nottingham
90.244.38.87      user-5af42657.broadband.tesco.net      United Kingdom flag United Kingdom, H9, London
82.39.117.105      cpc15-sgyl30-2-0-cust360.18-2.cable.virginm.net      United Kingdom flag United Kingdom, U8, Edinburgh
86.29.101.167      client-86-29-101-167.glfd.adsl.virginm.net      United Kingdom flag United Kingdom
86.149.231.103      host86-149-231-103.range86-149.btcentralplus.com      United Kingdom flag United Kingdom
2.221.46.25      02dd2e19.bb.sky.com      United Kingdom flag United Kingdom, L9, Sheffield
82.26.240.24      cpc3-basf8-2-0-cust23.12-3.cable.virginm.net      United Kingdom flag United Kingdom, J8, Nottingham
213.249.135.36      gateway.howden.press.net      United Kingdom flag United Kingdom, E1, Howden
86.129.5.190      host86-129-5-190.range86-129.btcentralplus.com      United Kingdom flag United Kingdom, H9, London
81.106.59.5      cpc9-ely05-2-0-cust4.5-1.cable.virginm.net      United Kingdom flag United Kingdom, X5, Cardiff
81.133.58.48      host81-133-58-48.in-addr.btopenworld.com      United Kingdom flag United Kingdom, H9, London
94.0.128.74      5e00804a.bb.sky.com      United Kingdom flag United Kingdom, U8, Edinburgh
89.241.88.120      host-89-241-88-120.as13285.net      United Kingdom flag United Kingdom, H3, Leeds
86.135.209.252      host86-135-209-252.range86-135.btcentralplus.com      United Kingdom flag United Kingdom, H9, London
2.219.38.165      02db26a5.bb.sky.com      United Kingdom flag United Kingdom, L2, Rochdale

Like I said I wanted to see if I can test if they are infected IPs.

A couple of thoughts.  Could I ping these IPs and analyse what comes back, i.e. bot traffic appears and disappears very quickly, so can I capture that?

Lost here, but any help - and please don't suggest Google analytics.

many thanks
0
Comment
Question by:eezar21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 350 total points
ID: 39623043
Since these all seem to be home IP addresses there is not much you can do.
Is it possible someone is downloading your entire site (scraping)? Though that there is 14 IP's makes this less obvious to detect, maybe they are changing the IP, see below

You could block the IP but this is no guarantee as their IP may change when they turn off/on the router

Whether it is a scraper or bad bot you could create an honeypot for them to follow.
http://www.techjunkie.com/preventing-site-scraping/
Couldn't find a better example online, but the basics are there.
0
 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 150 total points
ID: 39623155
No virus writer is going to be stupid enough to configure a system to respond to ICMP echo (ping) requests.

Also you are assuming that all traffic is TCP, you probably also have UDP type traffic.

Just forget tracing, the IP numbers you see aren't going to be the correct destinations.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about the 3 stages of the buyer's journey: awareness, consideration, and decision.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question