(moderator can kill thread) AOL "proxy" behavior?

From: Michael B. Morell (MMorellat_private)
Date: Mon Aug 19 2002 - 14:22:52 PDT

Next message: Mike Arnold: "Re: AOL "proxy" behavior?"

Previous message: Russell Fulton: "RE: Increased IIS scans mainly on 66.0.0.0/8 - Update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanx for the comments, it appears that I'm not the only one who has
experienced the
AOL mega proxy request.

I figured it was some weird normal behavior for them, after all it is AOL.
It's as if they strive to defy all known logic.

When you see multiple requests within the same 10 seconds from 20 hosts from
within the same netblock going in basic sequential order, generally it will
raise a red flag.

Thanx again for the comments

Mike

-----Original Message-----
From: Michael B. Morell 
Sent: Monday, August 19, 2002 3:32 PM
To: 'incidentsat_private'
Subject: AOL "proxy" behavior?


I was wondering if anyone can verify a pattern that I just came across.

While it appears that there was no attempted intrusion or invalid requests
made.
One of my webservers reported very heavy incoming traffic for a specific /16
netblock.

The netblock is owned by AOL (195.73.x.x/16).  I received about 20-30
requests (albeit valid requests) from what looked like 20 sequential hosts
from within that block.  Further inspection of the logs though showed that
it was from really 1 session (validated thru aspsession identifier).

So my question is, does anyone know whether or not that this is some sort of
valid AOL proxy behavior where a request for a single page can go thru
multiple proxies?  Spawning multiple proxies to request information that
generally only 1 proxy would get.  (ie, a request for a web page resulted in
3 different hosts getting different parts of the page, all off of the same
aspsession id)

Or am I just high.

Like I said before, there was no invalid requests, port scans or anything
else out of the ordinary, except that 1 page request spawned so many
different hosts located in the same netblock requesting web services.

I haven't seen this behavior before coming from AOL, or I just never
realized it before.

Thanks for the insight anyone has to offer.

Michael B. Morell

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mike Arnold: "Re: AOL "proxy" behavior?"
Previous message: Russell Fulton: "RE: Increased IIS scans mainly on 66.0.0.0/8 - Update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 09:28:47 PDT