Christopher,
Thank you. This is helpful. Sorry about the "hijacked thread", I
didn't think of that.
Yes, I've double-checked that my site isn't generating the bad links.
It's all static HTML and I've searched for any duplications, "../../"
type things, etc. I don't currently generate any URLs, and the sheer
length of the duplication rules out any basic mistakes in static html.
I have directory indexes turned off, confirmed by seeing 404 codes on
certain directories in which I don't have index files (intentionally).
Lloyd
On Apr 24, 2008, at 10:12 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lloyd,
For future reference, please don't "hijack" a thread. You replied to
another message on the list to ask this one. In the future, please
create a brand new message.
DIGLLOYD INC wrote:
| But I see tons of 404 errors, with someone/thing from 62.42.21.210
| (ono.com) doing:
|
| http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
|
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
Are you sure this isn't a problem with your own site accidentally
generating URLs that are double- or triple-length? You should record
the
"referer" (sic) header to see where the links are coming from. If
they're coming from your site, you might want to check your own
software.
| I also see illegal requests like this from several sites:
|
| /diglloyd/blog-images/?S=A
That looks like a URL generated by Apache httpd's "index" feature.
I've
never used Tomcat's DefaultServlet to serve directory indexes (so I'm
not sure if it uses the same URL syntax for file sorting, etc.), but
is
it possible that you are serving directory indexes from Tomcat? If so,
then this looks like a legitimate request.
| Is there a weakness in Tomcat being probed here?
Perhaps. But I don't believe there are any known weaknesses around
this
part of the code. I wouldn't worry about it.
| What is the best way to block such things?
You could write a filter that checks for certain URL patterns and
replies with a 403 (Forbidden) response code.
| Ignore them since they just return 404 error anyway?
That's what I would do.
| Write a filter to insert a long delay for blatantly wrong requests?
Definitely don't do that -- you'd be creating a DOS vector. :(
| I'm not sure if that ono.com represents a single user or an entire
ISP,
| so I'm loathe to block it entirely.
Lessee...
$ nslookup 62.42.21.210
Server: 192.168.1.40
Address: 192.168.1.40#53
Non-authoritative answer:
210.21.42.62.in-addr.arpa name = 62.42.21.210.dyn.user.ono.com.
Authoritative answers can be found from:
21.42.62.in-addr.arpa nameserver = dns03.ono.com.
21.42.62.in-addr.arpa nameserver = dns01.ono.com.
21.42.62.in-addr.arpa nameserver = dns02.ono.com.
Looks like an ISP. You are probably being visited (or scanned?) by
someone within their network. They probably own a whole class B
network
or more, so you would go crazy blocking IPs individually.
I would just ignore them unless they start to be a significant portion
of your traffic.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6
r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn
=xv8f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]