Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Unusually high number of requests from Brazil
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Unusually high number of requests from Brazil

alessioalessio Member
edited September 2014 in General

I dont know if its just me or if also others made a similar observation, but for the past three days there is a huge number of single page requests (only one single GET for the root page) coming from many different IP addresses. Those are predominantly (>50%) Brazilian addresses and all with the same user agent.

The notable thing is simply that all those requests are one single GET and all with the same user agent, however coming from a wide variety of addresses (most Brazil though). With the recent bash vulnerability I'd be tempted to believe these were probe requests, but what makes me doubt this is the sheer number of different addresses from different networks and the GET request to /.

Anybody having an idea whats going on?

Comments

  • ChuckChuck Member
    edited September 2014

    Nvm.

  • Attempted Slowloris attack? I see a lot of these from Brazil lately.

  • @Nekki said:
    Attempted Slowloris attack? I see a lot of these from Brazil lately.

    Thats a good point, but at least in my case the number of connections wouldnt be high enough for an attack. The weird thing is simply the more or less regular requests all just for the root resource and all with the same user agent and nonetheless all from different networks (and yet still mostly from one single country).

  • alessioalessio Member
    edited September 2014

    Only in the past ten minutes seven requests. Six from Brazil, one from Israel. All from completely different networks.

  • letboxletbox Member, Patron Provider

    As usually a lot of abuser from Brazil not new!

  • @key900 said:
    As usually a lot of abuser from Brazil not new!

    Thats the point, it doesnt match the usual abuse/scanning pattern. It looks like someone who has a whole lot of IP addresses (and not all from the same subnet or even provider, but each from a different network) under their control, only to send out plain / requests on a regular basis. Whats the point here? Thats what puzzles me.

  • letboxletbox Member, Patron Provider

    @alessio said:
    Thats the point, it doesnt match the usual abuse/scanning pattern. It looks like someone who has a whole lot of IP addresses (and not all from the same subnet or even provider, but each from a different network) under their control, only to send out plain / requests on a regular basis. Whats the point here? Thats what puzzles me.

    I have the same one but from Costa Rica.

  • @key900 said:
    I have the same one but from Costa Rica.

    There were some requests from Costa Rica as well, but the vast majority is Brazil. Only in the past six hours 24 requests, with 16 from Brazil and one each from Sudan, Guatemala, Indonesia, Mexico, Venezuela, Paraguay, Jamaica and Russia.

  • BrianHarrisonBrianHarrison Member, Patron Provider

    If they're scanners, then you'll most likely see the IPs appearing in honeypot lists within the next 24 hours.

    Thanked by 1Mark_R
  • @BrianHarrison said:
    If they're scanners, then you'll most likely see the IPs appearing in honeypot lists within the next 24 hours.

    Good point, projecthoneypot.org, for example, doesnt list the very first IP - from four days ago - (yet) though.

    To be honest, I cant even tell what they are. This was the reason for opening this thread. A scanner usually follows a certain pattern and tries to determine if a certain resource were present or to exploit a vulnerability. This is all not the case here, only / requests from a wide variety of networks.

  • How many of these requests are you getting per minute?

  • @alessio, Is it the typical semalt crap (or its various clones?)

    They appear to have finally assembled their botnet. I just block anything with this as a referrer, useragent, or any part of the requested url, etc.

  • Check if one of the IPs are owned by a DataCenter, you can email their abuse department. Also it would be best to ban the IP range if its possible.

  • Abuse report for what? A single web page fetch?

  • @rds100 said:
    Abuse report for what? A single web page fetch?

    If you get multiple requests from a server meant to serve and not request, then its definitely wrong. We have had multiple instances of such unusual high requests and we do complain to datacenters from where we see a pattern.

  • @Nekki said:
    How many of these requests are you getting per minute?

    Way less than per minute. It can happen that there are hours between requests and then a whole bunch within a couple of minutes.

    @geekalot said:
    alessio, Is it the typical semalt crap (or its various clones?)

    They appear to have finally assembled their botnet. I just block anything with this as a referrer, useragent, or any part of the requested url, etc.

    A botnet is actually a very good explanation for the diversity of the addresses. I'd still question the purpose though. There is no referrer sent and the user agent is a common one.

  • A small follow-up ....

    Brazil, or for that matter many parts of South America in general, still seems to have a certain malware "issue". The requests mentioned above eventually stopped as suddenly as they started, however were quickly succeeded by an equally strange type of request (still no referrer or something else spam-specific) and also the actual semalt referrer spam requests mentioned by @geekalot before.

Sign In or Register to comment.