Hey all, I've been seeing a lot of server requests for the last several months, they look like this: GET / HTTP/1.1 Host: vh.org Cache-Control: no-cache That's it. The particular config on our servers return a 301 (perm redirect), which is why I noticed these requests, half our traffic being 301s spells trouble. The traffic doesn't appear to be spoofed from what I've gathered so far after talking to a couple of sites. The traffic pattern goes like this: Remote Local ------------------ SYN SYN-ACK ACK Request ACK 301 Reply RST RST RST ----------------- For most IPs, this repeats every 5 minutes or so, out of a pool of 6000 addresses or so. Anyone seen anything similiar or have an idea what's behind the traffic? Thanks, Bill Carlson -- Systems Administrator wcarlsonat_private | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:28:08 PDT