DOS attempt? What is this? - Security

This is a discussion on DOS attempt? What is this? - Security ; Beginning at 13:50 CEST yesterday, hundreds of almost identical entries started appearing in my apache log: ppp-88-217-13-109.dynamic.mnet-online.de - - [04/Oct/2008:13:50:32 +0200] "GET /stestu.html HTTP/1.1" 200 118012 "http://rds.yahoo.com/_ylt=A0geu_B0WOdIHz0AjVVXNyoA;_ylu=X3oDMTBz MzdrZWZkBHNlYwNzcgRwb3MDMzcEY29sbwNhYzIEdnRpZAM- /SIG=11olttmk0/EXP=1223207412/**http%3a//www.jw-stumpel.nl/stestu.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-" (all on one ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: DOS attempt? What is this?

  1. DOS attempt? What is this?

    Beginning at 13:50 CEST yesterday, hundreds of almost identical
    entries started appearing in my apache log:

    ppp-88-217-13-109.dynamic.mnet-online.de - - [04/Oct/2008:13:50:32
    +0200] "GET /stestu.html HTTP/1.1" 200 118012
    "http://rds.yahoo.com/_ylt=A0geu_B0WOdIHz0AjVVXNyoA;_ylu=X3oDMTBz
    MzdrZWZkBHNlYwNzcgRwb3MDMzcEY29sbwNhYzIEdnRpZAM-
    /SIG=11olttmk0/EXP=1223207412/**http%3a//www.jw-stumpel.nl/stestu.html"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

    (all on one line). This was repeated approx. every two and a half
    minutes, each time with a different value of SIG and EXP. Just
    before midnight last night, the remote address changed to
    88.217.9.101 (ppp-88-217-9-101.dynamic.mnet-online.de); there was
    no interruption in the two-and-a-half minute pattern. When I
    discovered what was happening (about 12:00 CEST today) I blocked
    the entire 88.217.0.0/16 range belonging to mnet-online.de by
    making a shorewall rule.

    Strangely, apache served the html page itself successfully (code
    200), but the pictures belonging to the page were not requested
    (although this normally does happen when a graphical browser like
    MSIE 6.0 is used).

    Is this some kind of DOS attempt? But why would someone try to
    block my totally innocuous web page www.jw-stumpel.nl/stestu.html?
    I also don't know what this rds.yahoo.com is supposed to do. I
    normally don't use yahoo, but just tried to search for my own page
    using it, and it didn't produce these log entries with rds.yahoo
    in them.

    Regards, Jan

  2. Re: DOS attempt? What is this?

    On 5 Oct, 12:48, JWS wrote:
    > Beginning at 13:50 CEST yesterday, hundreds of almost identical
    > entries started appearing in my apache log:
    >
    > ppp-88-217-13-109.dynamic.mnet-online.de - - [04/Oct/2008:13:50:32
    > +0200] "GET /stestu.html HTTP/1.1" 200 118012
    > "http://rds.yahoo.com/_ylt=A0geu_B0WOdIHz0AjVVXNyoA;_ylu=X3oDMTBz
    > MzdrZWZkBHNlYwNzcgRwb3MDMzcEY29sbwNhYzIEdnRpZAM-
    > /SIG=11olttmk0/EXP=1223207412/**http%3a//www.jw-stumpel.nl/stestu.html"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
    >
    > (all on one line). This was repeated approx. every two and a half
    > minutes, each time with a different value of SIG and EXP. Just
    > before midnight last night, the remote address changed to
    > 88.217.9.101 (ppp-88-217-9-101.dynamic.mnet-online.de); there was
    > no interruption in the two-and-a-half minute pattern. When I
    > discovered what was happening (about 12:00 CEST today) I blocked
    > the entire 88.217.0.0/16 range belonging to mnet-online.de by
    > making a shorewall rule.
    >
    > Strangely, apache served the html page itself successfully (code
    > 200), but the pictures belonging to the page were not requested
    > (although this normally does happen when a graphical browser like
    > MSIE 6.0 is used).
    >
    > Is this some kind of DOS attempt? But why would someone try to
    > block my totally innocuous web pagewww.jw-stumpel.nl/stestu.html?
    > I also don't know what this rds.yahoo.com is supposed to do. I
    > normally don't use yahoo, but just tried to search for my own page
    > using it, and it didn't produce these log entries with rds.yahoo
    > in them.
    >
    > Regards, Jan


    I really don't think hits at 2.5 minute intervals pose a very high
    risk of a DOS attack.

    The referer doesn't seem to like being accessed directly - but it
    looks more like a software bug on the yahoo site or bad interaction
    with a spider.

    C.

  3. Re: DOS attempt? What is this?

    C. wrote:

    > I really don't think hits at 2.5 minute intervals pose a very
    > high risk of a DOS attack.


    That's what I thought too. It seemed so pointless. A bug in
    Yahoo's "instant search" is the most likely cause. I unblocked
    mnet-online.de today; the weird http requests did not return.

    Thanks, Jan

  4. Re: DOS attempt? What is this?

    JWS writes:

    > Beginning at 13:50 CEST yesterday, hundreds of almost identical
    > entries started appearing in my apache log:
    >
    > ppp-88-217-13-109.dynamic.mnet-online.de - - [04/Oct/2008:13:50:32
    > +0200] "GET /stestu.html HTTP/1.1" 200 118012
    > "http://rds.yahoo.com/_ylt=A0geu_B0WOdIHz0AjVVXNyoA;_ylu=X3oDMTBz
    > MzdrZWZkBHNlYwNzcgRwb3MDMzcEY29sbwNhYzIEdnRpZAM-
    > /SIG=11olttmk0/EXP=1223207412/**http%3a//www.jw-stumpel.nl/stestu.html"
    > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"
    >
    > (all on one line). This was repeated approx. every two and a half
    > minutes, each time with a different value of SIG and EXP. Just
    > before midnight last night, the remote address changed to
    > 88.217.9.101 (ppp-88-217-9-101.dynamic.mnet-online.de); there was
    > no interruption in the two-and-a-half minute pattern. When I
    > discovered what was happening (about 12:00 CEST today) I blocked
    > the entire 88.217.0.0/16 range belonging to mnet-online.de by
    > making a shorewall rule.


    Looks like someone searched from something (maybe Unicode/font/text
    data, from checking the requested page?) using Yahoo. The guy was on a
    German dial-up service that disconnected and then reconnected, as is
    common with dial-up services (check the strings "ppp" and "dynamic" in
    the hostname, a dead give-away). He was using a browser that likely had
    one of those 'webpage check-for-updates' attributes enabled where the
    browser automatically keeps calling back to a page to see if it's
    changed. Kinda a dumb idea for most pages, but I've seen it before. At
    some point he left and/or cleared the page out of his browser. Since it
    was an MSIE browser and the page mentions Ubuntu, my guess is he's
    likely a new Linux user or a would-be future user looking into Linux.

    That's my guess, but I really doubt this is an attack of any sort. I'd
    unblock the ranges.

    > I also don't know what this rds.yahoo.com is supposed to do.


    It's a redirector, sometimes also used to step around web page
    blocks. Sometimes spammers using them to step around URL blocks or make
    URLs that are flaky look somewhat more normal.

    This is one of the URLs returned when I use Yahoo to search for "unicode":

    http://rds.yahoo.com/_ylt=A0geu7bW._...s/Unicode.html

    Look familiar?

    (From http://search.yahoo.com/)


    --
    [** America, The Police State **]
    http://www.hermes-press.com/police_state.htm
    IRS Police State Provisions http://www.infowars.com/?p=5076
    /usr/bin/finger jayjwa at host atr2.ath.cx

  5. Re: DOS attempt? What is this?

    jayjwa wrote:
    > Since it was an MSIE browser and the page mentions Ubuntu, my
    > guess is he's likely a new Linux user or a would-be future user
    > looking into Linux.
    >
    > That's my guess, but I really doubt this is an attack of any
    > sort. I'd unblock the ranges.


    Your explanation sounds OK. I hadn't heard of this 'webpage check
    for updates' feature. I already unblocked the range several days ago.

    Regards, Jan

  6. Re: DOS attempt? What is this?

    JWS writes:

    > Your explanation sounds OK. I hadn't heard of this 'webpage check
    > for updates' feature. I already unblocked the range several days ago.


    I forget the exact versions of which browsers do it. I only remember it
    because I saw it in my webserver's logs and wondered what it was. When I
    asked the guy, he said that's what it was.


  7. Re: DOS attempt? What is this?

    jayjwa wrote:

    > I forget the exact versions of which browsers do it. I only
    > remember it because I saw it in my webserver's logs and
    > wondered what it was. When I asked the guy, he said that's what
    > it was.

    Hmm.. whenever I unblock this range, the guy always comes back. In
    the same monotonous 2~2.5 minute rhythm. Always with an IP address
    belonging to mnet-online.de. Strange.

+ Reply to Thread