[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Dealing with abusive clients
From: |
Valentin Sundermann |
Subject: |
Re: [Sks-devel] Dealing with abusive clients |
Date: |
Thu, 20 Jul 2017 19:18:52 +0200 |
>>> Here's a quick excerpt from the logs:
>>> 216.241.59.205 - - [20/Jul/2017:14:46:51 +0000] "GET / HTTP/1.1" 200
>>> 5285 "-" "-"
>>> 216.241.59.205 - - [20/Jul/2017:14:46:53 +0000] "GET / HTTP/1.1" 200
>>> 5285 "-" "-"
>>> 216.241.59.205 - - [20/Jul/2017:14:46:56 +0000] "GET / HTTP/1.1" 200
>>> 5285 "-" "-"
>>> 216.241.59.205 - - [20/Jul/2017:14:46:58 +0000] "GET / HTTP/1.1" 200
>>> 5285 "-" "-"
>>>
>>> This particular client is making continuous requests for the main page
>>> of my server every 2-3 seconds. They're not making any queries for keys,
>>> submitting keys, etc., but are only requesting the main page.
>>>
>>> This has been going on since at least the 15th of July.
>>>
>>> I haven't observed any other odd traffic, so it seems unlikely that a
>>> botnet is involved. Maybe a script that has gone awry?
I see these requests too, but from a different IP. I noticed them 1-2
months ago but wasn't able to find the origin of these requests (they
got sorted into a general logfile because of the "missing" Host field).
The IP that is querying my server belongs to Amazon's AWS. Requests look
the same, every 2 seconds a "GET /".
>> There might be a clue in the host header if you could log that? I use
>> this nginx config to do that (and not log the client IP)
>
> Good idea. I'll see if I can tweak the logs.
I log HTTP Host headers and it uses localhost in each requests. Still no
idea what this could be.
Best regards,
Valentin Sundermann
signature.asc
Description: OpenPGP digital signature