On 11/16/2010 03:13 PM, Paul Graydon wrote: > Hi, > > Thought I'd throw something out to the masses here, to see if I get a bite. > > Every day one of our sites will see a large number of requests coming > from a single IP address in the space of 1-2 minutes (upwards of 9000). > This is on a fairly small site where it's unusual to see more than 300 > hits a day from a single IP. The IP address is different every day, > across many different network ranges, service providers, geographic > locations etc (e-mails sent to abuse addressees but you know how slow > responses can be there) > > Initially the traffic from the IP address appears to be normal, just > someone browsing the site. It's always an IE user agent string covering > a broad spectrum of IE versions 6-8. No IP address seems to have quite > the same agent-string as another. Again nothing unusual there. > > After maybe a minute of accessing the site I suddenly get a large flood > of requests from the IP address, this time with a "Mozilla/4.0 > (compatible;)" user-agent. > > The first couple of times it happened the servers involved couldn't cope > with it, but a few tweaks to config files later and it now hardly bats > an eyelid, which it shouldn't given it's static content, so in some > regards it's been a nice indicator of an unforeseen infrastructure problem. > > I was wondering though if anyone has any theories about what might be > causing it, and am curious whether anyone else is seeing such unusual > traffic behaviour? > > My only theory at the moment is some form of scraper or a zombie. The > content isn't anything worthy of scraping, and doesn't appear on a > google search, and given the different IPs it suggests more like a > zombie to me. > > Paul
Within 5 minutes of e-mailing this out I had a call from one of the abuse people at a source. The IP it appeared from is a NAT from a Proxy server. Checking the proxy server logs he was able to see traffic right up until the odd user-agent string but not the bad traffic. He's going to be investigating further but wanted to give me a quick preliminary (and assure me someone was looking into it) That's really rather weird :) Paul _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
