-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lloyd,
For future reference, please don't "hijack" a thread. You replied to another message on the list to ask this one. In the future, please create a brand new message. DIGLLOYD INC wrote: | But I see tons of 404 errors, with someone/thing from 62.42.21.210 | (ono.com) doing: | | http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html | http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html Are you sure this isn't a problem with your own site accidentally generating URLs that are double- or triple-length? You should record the "referer" (sic) header to see where the links are coming from. If they're coming from your site, you might want to check your own software. | I also see illegal requests like this from several sites: | | /diglloyd/blog-images/?S=A That looks like a URL generated by Apache httpd's "index" feature. I've never used Tomcat's DefaultServlet to serve directory indexes (so I'm not sure if it uses the same URL syntax for file sorting, etc.), but is it possible that you are serving directory indexes from Tomcat? If so, then this looks like a legitimate request. | Is there a weakness in Tomcat being probed here? Perhaps. But I don't believe there are any known weaknesses around this part of the code. I wouldn't worry about it. | What is the best way to block such things? You could write a filter that checks for certain URL patterns and replies with a 403 (Forbidden) response code. | Ignore them since they just return 404 error anyway? That's what I would do. | Write a filter to insert a long delay for blatantly wrong requests? Definitely don't do that -- you'd be creating a DOS vector. :( | I'm not sure if that ono.com represents a single user or an entire ISP, | so I'm loathe to block it entirely. Lessee... $ nslookup 62.42.21.210 Server: 192.168.1.40 Address: 192.168.1.40#53 Non-authoritative answer: 210.21.42.62.in-addr.arpa name = 62.42.21.210.dyn.user.ono.com. Authoritative answers can be found from: 21.42.62.in-addr.arpa nameserver = dns03.ono.com. 21.42.62.in-addr.arpa nameserver = dns01.ono.com. 21.42.62.in-addr.arpa nameserver = dns02.ono.com. Looks like an ISP. You are probably being visited (or scanned?) by someone within their network. They probably own a whole class B network or more, so you would go crazy blocking IPs individually. I would just ignore them unless they start to be a significant portion of your traffic. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6 r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn =xv8f -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
