I was wondering if anyone can verify a pattern that I just came across. While it appears that there was no attempted intrusion or invalid requests made. One of my webservers reported very heavy incoming traffic for a specific /16 netblock. The netblock is owned by AOL (195.73.x.x/16). I received about 20-30 requests (albeit valid requests) from what looked like 20 sequential hosts from within that block. Further inspection of the logs though showed that it was from really 1 session (validated thru aspsession identifier). So my question is, does anyone know whether or not that this is some sort of valid AOL proxy behavior where a request for a single page can go thru multiple proxies? Spawning multiple proxies to request information that generally only 1 proxy would get. (ie, a request for a web page resulted in 3 different hosts getting different parts of the page, all off of the same aspsession id) Or am I just high. Like I said before, there was no invalid requests, port scans or anything else out of the ordinary, except that 1 page request spawned so many different hosts located in the same netblock requesting web services. I haven't seen this behavior before coming from AOL, or I just never realized it before. Thanks for the insight anyone has to offer. Michael B. Morell ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 13:51:29 PDT