In view of the problem you/we experienced how about requiring all those who are whitelisted to connect via a secure socket layer, either via SSH or SSL?
On Thu, Feb 12, 2009 at 2:50 PM, Matt Sanford <m...@twitter.com> wrote: > Hi Duane, > I'm sorry you've been caught in the crossfire but until Media Temple's > abuse department let's us know they've handled this we can't unblock the IP > range. The best thing I can suggest is to contact Media Temple and let them > know that not taking action on this is affecting you. > > I think everyone agrees that IP range blocking like this is a bad thing > to have to do. Unfortunately it's the only method that our operations team > has found to be effective. I have an operations background and I've not seen > any other solution to stop this type of behavior other than contacting the > hosting provider's abuse department. Withstanding an attack while you wait > on a hosting provider with whom you have no agreement is not really an ideal > solution. > > Again, to Duane and everyone else caught in the crossfire, I'm sorry > that we have to block IPs like this. I know this is > hurting people's applications and development time but there does not seem > to be a better solution at the moment. If you have a suggestion of a better > way to block these types of attacks please email me off-list and I'll be > happy to read them. In the mean time I am going to stop replying to > individual messages in this thread. I will update everyone once we have some > resolution. > > Thanks; > — Matt Sanford > > On Feb 12, 2009, at 11:12 AM, Duane Storey wrote: > > > Matt, > > I wrote a popular WordPress plugin for Twitter, and currently the > Media Temple blocking is impacting us. All of our servers run on > Media Temple, and currently we do not have the ability to test the > plugin or to release new updates because our servers (which ironically > host the plugin for download) can't access your API due to mass > blocking of a media temple cluster from your side. Obviously we can > set up a test environment somewhere else, but I don't think your > solution to the problem is adequate, and it's hurting our ability to > release plugins which people use to interface with Twitter. If we > can find another solution to this problem, it would be appreciated, as > I don't think mass blocking IP addresses is a good way to go as it > results in issues like these for people on shared hosting. > > Regards, > Duane Storey > > On Feb 12, 7:43 am, Matt Sanford <m...@twitter.com> wrote: > > Hi Jeff, > > > This error is unrelated to rate limiting and is instead a network > > level block to prevent the selection of attacks they were running. > > This is also a block of a range of IP addresses because the attacker > > was coming from multiple IPs in the same range. We have to deflect > > attacks with the tools we have, and right now a network block is that > > tool. We're waiting on the Media Template abuse group to get back to > > us before we can unblock it. > > > Thanks; > > — Matt Sanford > > > On Feb 12, 2009, at 04:19 AM, JeffC wrote: > > > > > The fact that you rate limit by IP address seems to be a fundamental > > problem. Wouldn't this be alleviated by introducing some kind of API > > key that uniquely identifies the actual application with each call ? > > You could keep the existing structure for 'unsigned' calls and let > > people who really care sign up, get a key, and use it with all their > > API calls. > > > My apologies if this is naive, impractical, or already discussed > > elsewhere in this group. I don't have much experience in this area but > > it seems like an obvious solution. > > > Jeff Clark > > > On Feb 11, 6:22 pm, Matt Sanford <m...@twitter.com> wrote: > > Hi Dusty, > > > We've seen a few different people on shared hosting services run > > into problems where they are blocked in the aftermath of some other > > application. Without your own IP address we really can't tell you > > apart so you do run the risk of being blocked if you happen to share > > an IP with a service attempting to spam us or crack passwords. We try > > to help everyone out but at the end of the day user security and > > keeping the system up out weigh everything else. It sucks that we > > have > > to block people, I'm in total agreement. Finding contacts for an IP > > range is difficult and waiting on a reply while being attacked isn't > > totally practical. The only way to be sure this doesn't effect you is > > to have a dedicated IP address. > > > Thanks; > > — Matt Sanford > > > "I will strike down upon thee with great vengeance and furious anger > > those who would attempt to poison and destroy my brothers" > > > On Feb 11, 2009, at 03:13 PM, DustyReagan wrote: > > > That's for the quick feedback guys! > > > Is there any way to warn a poor guy when an IP range he's on is > > about > > to get blocked? My sites are important to me, get a decent amount of > > traffic, and make revenue. I got punished due to someone else's > > crime. > > *I'm not trying to play the violin over here, but this kinda' > > sucks.* > > > Is the only safe course to host on a private dedicated server? > > > On Feb 11, 4:09 pm, Alex Payne <a...@twitter.com> wrote: > > Matt will be conctacting you off-list. For future reference if > > others > > run into this issue: > http://apiwiki.twitter.com/FAQ#IsmyIPbannedorblacklisted > > > On Wed, Feb 11, 2009 at 13:45, DustyReagan <dustyrea...@gmail.com> > > wrote: > > > Oh. I tested the API manually from home. Just typed the address in > > my > > browser. > > > On Feb 11, 3:32 pm, Matt Sanford <m...@twitter.com> wrote: > > Hi Dusty, > > > The timeout error sounds suspiciously like a network problem > > and > > not a rate limit issue. When you say you tested the API manually, > > did > > you do it from your servers? Also, if you can let me know the IP > > address I can check if it is blocked for some reason. > > > Thanks; > > — Matt Sanford > > > On Feb 11, 2009, at 01:29 PM, DustyReagan wrote: > > > PS. I'm using Media Temple to server my sites. Could the IP > > Address be > > blocked or something? > > > On Feb 11, 3:27 pm, DustyReagan <dustyrea...@gmail.com> wrote: > > Hi, > > > I have 2 appshttp://FriendOrFollow.com(Ihaven'tchangedthecode > > on > > this site in weeks) andhttp://FeaturedUsers.com(usestheZend > > Framework to access Twitter). Both of these sites are using the > > same > > authentication and are giving me the error "Unable to Connect > > to > > tcp://twitter.com:80. Error #110: Connection timed out." > > > I've been checking my rate limit status quite a bit, and it > > doesn't > > seem to shift below 20k for some unknown reason. My rate limit > > right > > now is 19998 because I manually hit "http://twitter.com/statuses/ > > followers.xml" twice, just to see if the API was working. > > > Did I miss a vital update to the API or something? What could > > be > > happening, that my apps are broken, but I can still manually > > hit the > > API? > > > Thanks! > > > Dusty > > > -- > > Alex Payne - API Lead, Twitter, Inc.http://twitter.com/al3x > > >
