I was alerted by my Plesk server that an IP Address had been banned. Normally I don't check banned IPs, but this one happened to coincide with our site going down for 1 minute at the same time.
Banned the following ip addresses on Mon Jul 27 21:05:01 AEST 2020
216.239.38.21 with 154 connections
I use the Web Application Firewall (ModSecurity) that plesk provides
A quick check tells me it is a Google IP: https://whatismyipaddress.com/ip/216.239.38.21
Hostname: any-in-2615.1e100.net
ASN: 15169
ISP: Google
Organization: Google
However, Google have instructions on how Verifying Googlebot
Example 1:
> host 66.249.66.1
1.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-1.googlebot.com.
> host crawl-66-249-66-1.googlebot.com
crawl-66-249-66-1.googlebot.com has address 66.249.66.1
I also thought "154 connections sounds malicious", but according to Google's own Change Googlebot crawl rate, it shows an example of 5 per second, which would be 300 a minute
The term crawl rate means how many requests per second Googlebot makes
to your site when it is crawling it: for example, 5 requests per second.
You cannot change how often Google crawls your site, but if you want
Google to crawl new or updated content on your site, you can request a recrawl.
After running nslookup -type=ptr 216.239.38.21 I get the same hostname as above, which resolves to a spammy Google Blogger looking website.
So, the IP address is Googles, but it's a spammy looking Blogger.com website, so does that mean it was malicious or a false positive?
The fact that the hostname is any-in-2615.1e100.net leads me to beleive it's a fairly sophisticated spoofed IP address, seems bizarre. I was hoping someone with more technical experince might have futher insights.
