nanog mailing list archives
Re: Random five character string added to URLs?
From: "Stefan Fouant" <sfouant () shortestpathfirst net>
Date: Tue, 01 Nov 2011 19:05:22 -0400
Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some type of load balancer? This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually something you would see back to the clients, not tp the server. Also, IIRC, the LOIC DoS tool had this ability to create random strings in the URL, and I believe it did so with 5 characters. Might want to do a packet trace and identify if this is coming from LOIC. Regards, Stefan Fouant Technical Trainer, Juniper Networks GPG Key ID: 0xB4C956EC Sent from my HTC EVO. ----- Reply message ----- From: "Christopher J. Pilkington" <cjp () 0x1 net> Date: Tue, Nov 1, 2011 3:51 pm Subject: Random five character string added to URLs? To: <nanog () nanog org> This might be off-topic, my apologies if so. I seeing requests against a server with initial GET requests in the form: GET /[a-zA-Z]{5}/pagename.html pagename.html being optional. The 5 character string seems to be random. This GET always results in a 404, as our servers don't have these paths. The second request seems to always the same without the modified path, which results in a 20. I initially suspected this was something from an attack or DOS tool, but the traffic doesn't fit such a pattern. Is anyone familiar with what device/service behaves in this fashion? Clearly something layer 7 is between the clients and the server. Provider is without clue regarding this. Google results in many GoDaddy users complaining of same; the server in question is not hosted with them, but I suspect they may be doing something similar. Thanks, -cjp
Current thread:
- Random five character string added to URLs? Christopher J. Pilkington (Nov 01)
- <Possible follow-ups>
- Re: Random five character string added to URLs? Stefan Fouant (Nov 01)
- Re: Random five character string added to URLs? Jeff Kell (Nov 01)