Re: Chinese HTTP ACKs

[Frank Knobbe <frank () knobbe us>]

On Wed, 2005-02-09 at 10:08 -0800, David Gillett wrote:
>   I'm seeing a handful of addresses in the 61.143.210.0/23 space
> periodically send 2-3 ACKs from port 80 to semi-random addresses
> within our Class B space.  The TCP checksum on these packets is
> incorrect.
> [...]  Anybody else seeing similar?


Not quite. However, we have observed the Sohu Search engine
(www.sohu.com) doing some funky stuff. It checks existing pages and
non-existing pages (like /abcdefghijklm.html) with GET and HEAD
requests. In those requests are tons of really funky cookies. At first
glance, I thought the search engine has gone bonkers, or was badly
coded. However, certain traits seem more purposeful (like checking for
the non-existing page). It appears more of a fingerprinting/recon than a
spidering of an existing site.

Oh, and they also performed proxy checks (trying GET http://www.sohu.com
against the tested hosts). Not really a feature of a search engine
either :)

These accesses were observed from 61.135.131.0/24 and 220.181.26.0/24.

You might want to keep an eye on those subnets. Has anyone else noticed
attempts from Sohu or has some more information he can share here?

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part