Recently, I was involved in mitigating malicious scripted activity against a site that was found to be coming from a range of IP addresses.
whois is a useful tool when dealing with this type of an issue. It can provide a network range for a given IP address.
➜ ~ whois 188.8.131.52 NetRange: 184.108.40.206 - 220.127.116.11 CIDR: 18.104.22.168/20 NetName: NET3-INC NetHandle: NET-104-232-32-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: AS36352, AS62584, AS55286 Organization: Net3 Inc. (NETIN-11) RegDate: 2014-10-27 Updated: 2014-10-27 Ref: https://whois.arin.net/rest/net/NET-104-232-32-0-1 OrgName: Net3 Inc. OrgId: NETIN-11 Address: 8195 Sheridan Drive City: Buffalo StateProv: NY PostalCode: 14221 Country: US RegDate: 2013-07-10 Updated: 2015-08-14 Ref: https://whois.arin.net/rest/org/NETIN-11 OrgTechHandle: NOC13226-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-289-408-9989 OrgTechEmail: [email protected] OrgTechRef: https://whois.arin.net/rest/poc/NOC13226-ARIN OrgAbuseHandle: NOC13226-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-289-408-9989 OrgAbuseEmail: [email protected] OrgAbuseRef: https://whois.arin.net/rest/poc/NOC13226-ARIN OrgNOCHandle: NOC13226-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-289-408-9989 OrgNOCEmail: [email protected] OrgNOCRef: https://whois.arin.net/rest/poc/NOC13226-ARIN
I provided the range of IP addresses (22.214.171.124 - 126.96.36.199) to the hosting company to block at the firewall. However, in their correspondence, they began referring to the IP address range in a way I wasn’t familiar with. It looked like this:
Curious as always, I did a little investigation and found out that this way of referring to networks is called CIDR notation. I became interested and decided to learn a little more about CIDR notation…what is it used for and why? Here, I’ll share my learnings for anyone else who is curious.
Apache’s hooking system provides a very convenient way to customize request processing. However, thorough documentation is difficult to track down. The Apache developer documentation refers readers to the Doxygen documentation, however that page makes no mention of some commonly used hooks such as
mod_log_config provides many useful ”%” directives for defining
CustomLog formats. In combination with its friend,
mod_logio, 99% percent of logging use cases are covered. However, one day, you may find that there’s something you want to log that is not accessible with the tools Apache provides you. Luckily, you can utilize Apache’s module system to add your own logging directives. In this guide, we’ll write an Apache module that adds a
%^IH % directive which records request header size, in bytes.
A foreign key constraint is defined by Wikipedia as follows…
A field (or collection of fields) in one table that uniquely identifies a row of another table or the same table.
Sounds pretty technical, right? Frequently, a developer uses his or her judgement when planning the architecture of some feature to decide when a foreign key is appropriate. However, I had an experience today where I learned that often, foreign key constraint enforcement is a business decision rather than a technical one.
How should I log a PHP array?
If you work as a PHP developer this is probably a question you’ve asked yourself before. There are quite a few guides you’ll find online in regards to this subject.
print_rto gracefully debug PHP
Typically, they point to PHP’s
Unfortunately, they’re wrong
PSA: print_r() for logs sucks...— Max Chadwick (@maxpchadwick) November 30, 2016
So why, exactly, does
print_r suck for logging? Allow me to elaborate.
Recently, I caught wind of an issue which was reported by the client as follows…
Customers are getting error screens stating that their request was blocked.
At first glance, it smelled like an issue at the WAF (web application firewall).
A quick call with our hosting provider later, we confirmed that requests were, indeed, violating the WAF’s “max header size” policy. Let’s take a look at the what and the why.