This is a perfectly valid http request. Opening up a raw connection to "vh.org" I see the following. Request GET / HTTP/1.0 Host: vh.org Response HTTP/1.1 301 Moved Permanently Date: Tue, 26 Aug 2003 15:47:59 GMT Server: Apache Location: http://www.vh.org/ Connection: close Content-Type: text/html; charset=iso-8859-1 As you can see sending the raw request above to vh.org will cause a redirect as indicated by the "Location" header . By sending the following request below to "www.vh.org" a redirect will not be performed. Request GET / HTTP/1.0 Host: www.vh.org Response HTTP/1.1 200 OK Date: Tue, 26 Aug 2003 15:49:49 GMT Server: Apache Last-Modified: Tue, 26 Aug 2003 00:12:07 GMT ETag: "3afa-32ee-3f4aa5d7" Accept-Ranges: bytes One of the following is happening 1. Your visitors are going to http://vh.org and being redirected to www.vh.org (Probably the case) 2. Your user is entering in www.vh.org but the users browser is incorrectly sendin "vh.org" in the host header (Unlikely, and if so less then 5 percent of total traffic) I suspect #1 confidently. This would be something in your site configuration and not an attack, at least not with the information you provided below. I would read RFC 2616 for more information on HTTP 1.1 and how it works. Regards, - adminat_private > > Hey all, > > I've been seeing a lot of server requests for the last several months, > they look like this: > > GET / HTTP/1.1 > Host: vh.org > Cache-Control: no-cache > > > That's it. The particular config on our servers return a 301 (perm > redirect), which is why I noticed these requests, half our traffic > being 301s spells trouble. > > The traffic doesn't appear to be spoofed from what I've gathered so far > after talking to a couple of sites. > > The traffic pattern goes like this: > > Remote Local > ------------------ > SYN > SYN-ACK > ACK > Request > ACK > 301 Reply > RST > RST > RST > ----------------- > > For most IPs, this repeats every 5 minutes or so, out of a pool of 6000 > addresses or so. > > > Anyone seen anything similiar or have an idea what's behind the traffic? > > > Thanks, > > Bill Carlson > -- > Systems Administrator wcarlsonat_private | Anything is possible, > Virtual Hospital http://www.vh.org/ | given time and money. > University of Iowa Hospitals and Clinics | > Opinions are mine, not my employer's. | > > > > > --------------------------------------------------------------------------- > Attend Black Hat Briefings & Training Federal, September 29-30 (Training), > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier > technical IT security event. Modeled after the famous Black Hat event in > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. > Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com > ---------------------------------------------------------------------------- > --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 10:55:03 PDT