Saturday, June 28, 2008

WTF is going on in Bahrain?

View Larger Map

If you've been following the Proxy List since it went online (and I know you haven't since all the hits I've been getting are from Google - but what the heck, I'm usually just talking to myself here anyway) you may have noticed that Bahraini proxies take up about 30% of the list.

All of the lists I poach show the same thing. Somebody is scanning the fuck out of Bahrain.

I've done a small random sampling/reality check and found that the proxies are, indeed, answering. None of them are ping-able, but that's not surprising since a lot of Web sites started following Microsoft's lead when they shut off ICMP to their servers in the late 90s (can you say "Ping of Death", boys and girls?).

All the addresses I've checked belong to Bahrain Telecomm. None of them have DNS names.

And the few I've scanned have only port 80 open. Because there is no server banner, my initial, expert evaluation is:
  • Bahrain Telecomm is new at the ISP business
  • They have no clue what they're doing

The alternate view, which I consider less likely, is that their customers have been hacked. No, these are probably access points or cable modems or, simply, some sort of distributed cache setup for their client base.

In the process of reality-checking my reality check, I have started to get some "403 Access Denied" responses from addresses that were working yesterday. The Bahraini proxy surge may be over soon.

[ OK, quick Smurf joke:
Q. What do you call a Smurf from Manama?
A. Bahraini Smurf ]

I have seen these proxy surges dozens of times. I used to use Proxy4Free back in the heyday of proxy lists (roughly 2001-2005, since then it's been relatively useless). They would have pages and pages and pages of Chinese and/or Brazilian proxies (port 6588 was big in Brazil for some reason) that, by the time I got to them, were all offline.

Those ISPs obviously discovered the error of their ways and fixed everything. You can't blame that kind of massive idiocy on the end user (well, you can and they probably did).

You may have also noted a slew of Japanese "proxies" at the end of the list. These have been reality-checked as well, and they're all junk. They will disappear sometime on June 30th, when the Master Reality Check process kicks off next (it runs on Monday, Wednesday, and Friday). After a typical Master Reality Check the list will go from ~450-500 proxies down to ~350.

For some unknown reason those Japanese sites are proxy judge pages (here is a random sample - it won't bite), so they look like proxies to my algorithm. I have found a way to distinguish them from the genuine article and will be implementing that this weekend.

No comments:

Post a Comment