(moderator can kill thread) AOL "proxy" behavior?

From: Michael B. Morell (MMorellat_private)
Date: Mon Aug 19 2002 - 14:22:52 PDT

  • Next message: Mike Arnold: "Re: AOL "proxy" behavior?"

    Thanx for the comments, it appears that I'm not the only one who has
    experienced the
    AOL mega proxy request.
    I figured it was some weird normal behavior for them, after all it is AOL.
    It's as if they strive to defy all known logic.
    When you see multiple requests within the same 10 seconds from 20 hosts from
    within the same netblock going in basic sequential order, generally it will
    raise a red flag.
    Thanx again for the comments
    -----Original Message-----
    From: Michael B. Morell 
    Sent: Monday, August 19, 2002 3:32 PM
    To: 'incidentsat_private'
    Subject: AOL "proxy" behavior?
    I was wondering if anyone can verify a pattern that I just came across.
    While it appears that there was no attempted intrusion or invalid requests
    One of my webservers reported very heavy incoming traffic for a specific /16
    The netblock is owned by AOL (195.73.x.x/16).  I received about 20-30
    requests (albeit valid requests) from what looked like 20 sequential hosts
    from within that block.  Further inspection of the logs though showed that
    it was from really 1 session (validated thru aspsession identifier).
    So my question is, does anyone know whether or not that this is some sort of
    valid AOL proxy behavior where a request for a single page can go thru
    multiple proxies?  Spawning multiple proxies to request information that
    generally only 1 proxy would get.  (ie, a request for a web page resulted in
    3 different hosts getting different parts of the page, all off of the same
    aspsession id)
    Or am I just high.
    Like I said before, there was no invalid requests, port scans or anything
    else out of the ordinary, except that 1 page request spawned so many
    different hosts located in the same netblock requesting web services.
    I haven't seen this behavior before coming from AOL, or I just never
    realized it before.
    Thanks for the insight anyone has to offer.
    Michael B. Morell
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 09:28:47 PDT