Thanx for the comments, it appears that I'm not the only one who has experienced the AOL mega proxy request. I figured it was some weird normal behavior for them, after all it is AOL. It's as if they strive to defy all known logic. When you see multiple requests within the same 10 seconds from 20 hosts from within the same netblock going in basic sequential order, generally it will raise a red flag. Thanx again for the comments Mike -----Original Message----- From: Michael B. Morell Sent: Monday, August 19, 2002 3:32 PM To: 'incidentsat_private' Subject: AOL "proxy" behavior? I was wondering if anyone can verify a pattern that I just came across. While it appears that there was no attempted intrusion or invalid requests made. One of my webservers reported very heavy incoming traffic for a specific /16 netblock. The netblock is owned by AOL (195.73.x.x/16). I received about 20-30 requests (albeit valid requests) from what looked like 20 sequential hosts from within that block. Further inspection of the logs though showed that it was from really 1 session (validated thru aspsession identifier). So my question is, does anyone know whether or not that this is some sort of valid AOL proxy behavior where a request for a single page can go thru multiple proxies? Spawning multiple proxies to request information that generally only 1 proxy would get. (ie, a request for a web page resulted in 3 different hosts getting different parts of the page, all off of the same aspsession id) Or am I just high. Like I said before, there was no invalid requests, port scans or anything else out of the ordinary, except that 1 page request spawned so many different hosts located in the same netblock requesting web services. I haven't seen this behavior before coming from AOL, or I just never realized it before. Thanks for the insight anyone has to offer. Michael B. Morell ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 09:28:47 PDT