Re: Random five character string added to URLs?
Stefan Fouant
sfouant at shortestpathfirst.net
Tue Nov 1 23:05:22 UTC 2011
Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some type of load balancer?
This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually something you would see back to the clients, not tp the server.
Also, IIRC, the LOIC DoS tool had this ability to create random strings in the URL, and I believe it did so with 5 characters. Might want to do a packet trace and identify if this is coming from LOIC.
Regards,
Stefan Fouant
Technical Trainer, Juniper Networks
GPG Key ID: 0xB4C956EC
Sent from my HTC EVO.
----- Reply message -----
From: "Christopher J. Pilkington" <cjp at 0x1.net>
Date: Tue, Nov 1, 2011 3:51 pm
Subject: Random five character string added to URLs?
To: <nanog at nanog.org>
This might be off-topic, my apologies if so.
I seeing requests against a server with initial GET requests in the form:
GET /[a-zA-Z]{5}/pagename.html
pagename.html being optional. The 5 character string seems to be
random. This GET always results in a 404, as our servers don't have
these paths. The second request seems to always the same without the
modified path, which results in a 20.
I initially suspected this was something from an attack or DOS tool,
but the traffic doesn't fit such a pattern.
Is anyone familiar with what device/service behaves in this fashion?
Clearly something layer 7 is between the clients and the server.
Provider is without clue regarding this. Google results in many
GoDaddy users complaining of same; the server in question is not
hosted with them, but I suspect they may be doing something similar.
Thanks,
-cjp
More information about the NANOG
mailing list