Re: Random five character string added to URLs?

["Stefan Fouant" <sfouant () shortestpathfirst net>]

Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some 
type of load balancer?

This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually 
something you would see back to the clients, not tp the server.

Also, IIRC, the LOIC DoS tool had this ability to create random strings in the URL, and I believe it did so with 5 
characters.  Might want to do a packet trace and identify if this is coming from LOIC.

Regards,

Stefan Fouant
Technical Trainer, Juniper Networks
GPG Key ID: 0xB4C956EC

Sent from my HTC EVO.

----- Reply message -----
From: "Christopher J. Pilkington" <cjp () 0x1 net>
Date: Tue, Nov 1, 2011 3:51 pm
Subject: Random five character string added to URLs?
To: <nanog () nanog org>

This might be off-topic, my apologies if so.

I seeing requests against a server with initial GET requests in the form:

     GET /[a-zA-Z]{5}/pagename.html

pagename.html being optional. The 5 character string seems to be
random. This GET always results in a 404, as our servers don't have
these paths.  The second request seems to always the same without the
modified path, which results in a 20.

I initially suspected this was something from an attack or DOS tool,
but the traffic doesn't fit such a pattern.

Is anyone familiar with what device/service behaves in this fashion?
Clearly something layer 7 is between the clients and the server.
Provider is without clue regarding this. Google results in many
GoDaddy users complaining of same; the server in question is not
hosted with them, but I suspect they may be doing something similar.

Thanks,
-cjp