On Tue, Mar 19, 2013 at 12:27 AM, Chuck Mariotti <[email protected]> wrote: > We are seeing a lot of http requests to legitimate URLs on our web server… > the URLs are pages that do auto redirects to other content pages. The > redirects are collecting site stats and the high number of requests are > knocking the tracking stats out way out of whack compared to the norm. > Essentially someone is pretending to browse our content, over and over > again…. Throwing our stats into a mess. > > The problem is that the ‘culprit’ appears to be from multiple IP addresses, > mostly in our own city proximity and using slightly different host headers… > so they are trying hard to look like legitimate traffic… it is next to > impossible to differentiate between what is legit and what is fake (the only > give away is the frequency of the pages visited and that the stats have > jumped significantly). The IP addresses keep changing as well. > > My knowledge of current spoof technics is limited, but I am under the > impression that it’s pretty hard to spoof an IP address for an http request. > We are definitely serving up the pages and redirecting, so they are getting > responses which implies that they are real computers doing this work. >
It's effectively impossible to blind spoof TCP, so since you're completing the TCP session you can be assured the traffic is really coming from where it claims to be. Is it a high rate from a smallish number of IPs, or a low rate from a large number? What specifically do the HTTP requests look like? Getting full packet captures and examining the REFERER and other parts of the HTTP request may at least lead you to an explanation of why it's happening and a better understanding of what's happening, at which point you can implement mitigation if necessary or feasible. This doesn't sound like a deliberate attack, rather that someone did something to whatever you're hosting to cause this to happen, which is where the REFERER may lead you directly to the answer. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
