All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Unusually high number of requests from Brazil
I dont know if its just me or if also others made a similar observation, but for the past three days there is a huge number of single page requests (only one single GET for the root page) coming from many different IP addresses. Those are predominantly (>50%) Brazilian addresses and all with the same user agent.
The notable thing is simply that all those requests are one single GET and all with the same user agent, however coming from a wide variety of addresses (most Brazil though). With the recent bash vulnerability I'd be tempted to believe these were probe requests, but what makes me doubt this is the sheer number of different addresses from different networks and the GET request to /.
Anybody having an idea whats going on?
Comments
Nvm.
Attempted Slowloris attack? I see a lot of these from Brazil lately.
Thats a good point, but at least in my case the number of connections wouldnt be high enough for an attack. The weird thing is simply the more or less regular requests all just for the root resource and all with the same user agent and nonetheless all from different networks (and yet still mostly from one single country).
Only in the past ten minutes seven requests. Six from Brazil, one from Israel. All from completely different networks.
As usually a lot of abuser from Brazil not new!
Thats the point, it doesnt match the usual abuse/scanning pattern. It looks like someone who has a whole lot of IP addresses (and not all from the same subnet or even provider, but each from a different network) under their control, only to send out plain / requests on a regular basis. Whats the point here? Thats what puzzles me.
I have the same one but from Costa Rica.
There were some requests from Costa Rica as well, but the vast majority is Brazil. Only in the past six hours 24 requests, with 16 from Brazil and one each from Sudan, Guatemala, Indonesia, Mexico, Venezuela, Paraguay, Jamaica and Russia.
If they're scanners, then you'll most likely see the IPs appearing in honeypot lists within the next 24 hours.
Good point, projecthoneypot.org, for example, doesnt list the very first IP - from four days ago - (yet) though.
To be honest, I cant even tell what they are. This was the reason for opening this thread. A scanner usually follows a certain pattern and tries to determine if a certain resource were present or to exploit a vulnerability. This is all not the case here, only / requests from a wide variety of networks.
How many of these requests are you getting per minute?
@alessio, Is it the typical semalt crap (or its various clones?)
They appear to have finally assembled their botnet. I just block anything with this as a referrer, useragent, or any part of the requested url, etc.
Check if one of the IPs are owned by a DataCenter, you can email their abuse department. Also it would be best to ban the IP range if its possible.
Abuse report for what? A single web page fetch?
If you get multiple requests from a server meant to serve and not request, then its definitely wrong. We have had multiple instances of such unusual high requests and we do complain to datacenters from where we see a pattern.
Way less than per minute. It can happen that there are hours between requests and then a whole bunch within a couple of minutes.
A botnet is actually a very good explanation for the diversity of the addresses. I'd still question the purpose though. There is no referrer sent and the user agent is a common one.
A small follow-up ....
Brazil, or for that matter many parts of South America in general, still seems to have a certain malware "issue". The requests mentioned above eventually stopped as suddenly as they started, however were quickly succeeded by an equally strange type of request (still no referrer or something else spam-specific) and also the actual semalt referrer spam requests mentioned by @geekalot before.