Atomicorp

Well...one of our sites went from a few megs to 9Gb transfer usage almost overnight. In the logs, I found loads of entries from suhosin about "variable name length limits" being exceeded, along with the IPs in question. These all pointed back to MCI/Verizon in the US.

At that point I drew a blank, and informed the customer (one of our best/nicest/most wonderful) of my findings, and asked him if he had any clues because I certainly didn't.

He did some research and found http://www.katsbits.com/smforum/index.php?topic=293.0 which mentions a number of the IPs in question. [ Light Bulb! ]

It makes interesting reading. There's a bunch of IPs in there that I'd recommend adding to your firewalls to prevent this. Gods, I wonder if it was related to my Google AdSense banning? Surely Google would have noticed something like that and would not blame the webmaster.

Anyway...I've blocked the /24 on each of those ranges rather than just the ones mentioned, as a temporary measure. Unfortunately I can't figure out the /subnets to use and I'd rather not enter all those IPs individually, but I'll bite the bullet tomorrow and do so.

[EDIT: p.s. some, but not all, listed on project honeypot as "rule breakers" ]