Java Reference
In-Depth Information
}
private
static
boolean
isSpammer
(
String
arg
)
{
try
{
InetAddress
address
=
InetAddress
.
getByName
(
arg
);
byte
[]
quad
=
address
.
getAddress
();
String
query
=
BLACKHOLE
;
for
(
byte
octet
:
quad
)
{
int
unsignedByte
=
octet
<
0
?
octet
+
256
:
octet
;
query
=
unsignedByte
+
"."
+
query
;
}
InetAddress
.
getByName
(
query
);
return
true
;
}
catch
(
UnknownHostException
e
)
{
return
false
;
}
}
}
Here's some sample output:
$
java SpamCheck 207.34.56.23 125.12.32.4 130.130.130.130
207.34.56.23 appears legitimate.
125.12.32.4 appears legitimate.
130.130.130.130 appears legitimate.
If you use this technique, be careful to stay on top of changes to blackhole list policies
and addresses. For obvious reasons, blackhole servers are frequent targets of DDOS and
other attacks, so you want to be careful that if the blackhole server changes its address
or simply stops responding to any queries, you don't begin blocking all traffic.
Further note that different blackhole lists can follow slightly different protocols. For
example, a few lists return
127.0.0.1
for spamming IPs instead of
127.0.0.2
.
Processing Web Server Logfiles
Web server logs track the hosts that access a website. By default, the log reports the IP
addresses of the sites that connect to the server. However, you can often get more in‐
formation from the names of those sites than from their IP addresses. Most web servers
have an option to store hostnames instead of IP addresses, but this can hurt performance
because the server needs to make a DNS request for each hit. It is much more efficient
to log the IP addresses and convert them to hostnames at a later time, when the server
isn't busy or even on another machine completely.
Example 4-10
is a program called
Weblog
that reads a web server logfile and prints each line with IP addresses converted
to hostnames.
Most web servers have standardized on the common logfile format. A typical line in the
common logfile format looks like this:
