-
-
Save kyledrake/e6046644115f185f7af0 to your computer and use it in GitHub Desktop.
| # The blog post that started it all: https://neocities.org/blog/the-fcc-is-now-rate-limited | |
| # | |
| # Current known FCC address ranges: | |
| # https://news.ycombinator.com/item?id=7716915 | |
| # | |
| # Confirm/locate FCC IP ranges with this: http://whois.arin.net/rest/net/NET-165-135-0-0-1/pft | |
| # | |
| # In your nginx.conf: | |
| location / { | |
| if ( $remote_addr ~* 192.133.125.0/24 ) { | |
| limit_rate 3k; | |
| } | |
| if ( $remote_addr ~* 165.135.0.0/16 ) { | |
| limit_rate 3k; | |
| } | |
| if ( $remote_addr ~* 192.104.54.0/24 ) { | |
| limit_rate 3k; | |
| } | |
| if ( $remote_addr ~* 4.21.126.0/24 ) { | |
| limit_rate 3k; | |
| } | |
| if ( $remote_addr ~* 65.125.25.64/26 ) { | |
| limit_rate 3k; | |
| } | |
| if ( $remote_addr ~* 208.23.64.0/25 ) { | |
| limit_rate 3k; | |
| } | |
| # put the serve files or proxy_pass code here. | |
| } |
FYI: FCC has a few more IP addresses than above:
This from ARIN.NET (the people who assign NA IP addresses):
FCC (NET-165-135-0-0-1) 165.135.0.0 - 165.135.255.255
FCCNET2 (NET-192-133-125-0-1) 192.133.125.0 - 192.133.125.255
FCCNET (NET-192-104-54-0-1) 192.104.54.0 - 192.104.54.255
FCC2-126-30 (NET-4-21-126-0-1) 4.21.126.0 - 4.21.126.255
FCC (NET6-2620-610-1) 2620:0:610:: - 2620:0:610:FFFF:FFFF:FFFF:FFFF:FFFF
SPRINTLINK (NET-208-23-64-0-1) 208.23.64.0 - 208.23.64.127
TBD (NET6-2600-803-230-1) 2600:803:230:: - 2600:803:230:FFFF:FFFF:FFFF:FFFF:FFFF
Q0503-65-125-25-64 (NET-65-125-25-64-1) 65.125.25.64 - 65.125.25.127
SPRINTLINK (NET-208-31-254-128-1) 208.31.254.128 - 208.31.254.255
However - in my 15+ years in telecommunications, it entirely too easy to source from a different subnet not listed here. Unfortunately as xyntrix said, web logs will tell the tale of where the source is coming from.
(my two cents) - while this is a SPECTACULAR idea, it won't last long as subnets and source IP's can be added to their servers and NOT added to the FCC's AS/BGP announcements.
Good luck guys!
Sean
https://destinationsunknown.com/author/imseanbrown
No need for mod rewrite and icky php scripts. mod_ratelimit does this. http://httpd.apache.org/docs/current/mod/mod_ratelimit.html
applause
Would have been nice if Netflix did this with Comcast customers. Instead of paying Comcast for doing what its customers already pay them for, have them pay to keep their own customers happy. (I realise they couldn't have because monopoly and not wanting to be the bad guy, but still, one can dream...)
There has to be a way to emulate this in JS. Then we could make a Cloudflare app....
for sake of completness, lighttpd version: https://gist.github.com/ft11/34fb1974eb5aff8a36fd
Sorry for the n00b question...
My site is WordPress powered hosted on GoDaddy. Any idea how to implement this? Or if someone can make a plugin like the SOPA blackout one, that would be awesome!
Thank you for this, implementing it directly. Logic will prevail.
I look forward to these ranges being reassigned, then all of you forgetting this shit in your long, crusty configuration file, then spending four days trying to figure out why only $isp customers in $region can't do shit with your site.
Oh wait, if you're sticking this in your config and getting away with it, you don't have a site of note. So, never mind.
(Also, the Apache 12-regexes-per-request to a PHP script that calls sleep() is my personal favorite. In grown-up operations terms, we call that a "DoS vector," being one while(1) away from unresponsive.)
Not tested and could use some improvements. I'll make a better version and post tomorrow.
= ip2long("192.133.125.0") && $ip <= ip2long("192.133.125.24") ) || ( $ip >= ip2long("165.135.0.0") && $ip <= ip2long("165.135.0.16") ) || ( $ip >= ip2long("192.104.54.0") && $ip <= ip2long("192.104.54.24") ) || ( $ip >= ip2long("4.21.126.0") && $ip <= ip2long("4.21.126.0/24") ) || ( $ip >= ip2long("65.125.25.26") && $ip <= ip2long("65.125.25.64") ) || ( $ip >= ip2long("208.23.64.0") && $ip <= ip2long("208.23.64.25") )) { //Redirect to some horrible site. You need to change the last line for this script to work. header("Location: lemonparty.org || meatspin.cc || someOtherHorribleSite.whatevs"); die(); } ?>
Apache 12-regexes-per-request
In grown-up operations terms, we call that a "DoS vector," being one while(1) away from unresponsive.)
Can't tell if this is a joke or pure idiocy. Also this made me laugh:
Oh wait, if you're sticking this in your config and getting away with it, you don't have a site of note. So, never mind.
@m1 Pay no heed. Apple's employees know everything about everything.
Genius.
FWIW: If you are a MaxCDN customer you can enable this in the CP: http://blog.maxcdn.com/throttle-fcc-fight-net-neutrality/
👍
+1
Brilliant! Implementing this on all of my sites...
Anyone implemented this recently?
Are those IP-ranges still correct?
Just to confirm.. aren't these the public IPs for FCC in-bound services and what not? Are FCC employees actually sourcing connections out from behind these IPs (eg, their phone, home, or office connection)?
This would be like throttling the IP(s) for www.google.com to give Google employees a bad time -- right? Does anyone have access logs showing traffic from these IPs?