Re: Traffic being directed at random infrastructure with pornhub.com host header (?)

[Dobbins, Roland via NANOG]

On Sep 13, 2023, at 20:38, Drew Weaver  wrote:
Has anyone else recently seen a spike of port 80 traffic being sent at 
seemingly random IP addresses that include the Pornhub host header?

It may be related to this:


[what-is-a-reflection-amplification-ddos-attack-blog-header_1600x900.jpg]
HTTP Reflection/Amplification via Abusable Internet Censorship 
Systems
netscout.com




Roland Dobbins 

Re: Traffic being directed at random infrastructure with pornhub.com host header (?)

[John Kristoff]

On Wed, 13 Sep 2023 13:35:30 +
Drew Weaver  wrote:

> Has anyone else recently seen a spike of port 80 traffic being sent
> at seemingly random IP addresses that include the Pornhub host header?

Yes.  The source possible, hopefully being research or commercial
scanners perhaps?  I've seen a host from a US midwest EDU source
doing this. User agent string in that case was "Mozilla/5.0 quack/1.x"

It may be some sort of censorship measurement or perhaps even something
like this type of work:

  

John

Traffic being directed at random infrastructure with pornhub.com host header (?)

[Drew Weaver]

Has anyone else recently seen a spike of port 80 traffic being sent at 
seemingly random IP addresses that include the Pornhub host header?

0: 000C3170 A44F 35F95000 08004500  ..1p$@..5yP...E.
  16: 004D0997 4000F006 F8D59DF5 7C90CFB6  
.m...@.p.xu.u|.O6
  32: 9E010050 0050 67D5 000B5002  ...P.P..gUP.
  48: 6559 4745 54202F20 48545450  ..eY..GET / HTTP
  64: 2F312E31 0D0A486F 73743A20 706F726E  /1.1..Host: porn
  80: 6875622E 636F6D0D 0A0D0A00   hub.com.

Just thought it was quirky and was wondering if anyone else had seen it. This 
particular payload was directed at a Cisco router.

Offlist is fine if needed.
-Drew