AOL "proxy" behavior?

From: Michael B. Morell (MMorell@vdat.com)
Date: 08/19/02 

From: "Michael  B. Morell" <MMorell@vdat.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Mon, 19 Aug 2002 15:32:26 -0400

I was wondering if anyone can verify a pattern that I just came across.

While it appears that there was no attempted intrusion or invalid requests
made.
One of my webservers reported very heavy incoming traffic for a specific /16
netblock.

The netblock is owned by AOL (195.73.x.x/16). I received about 20-30
requests (albeit valid requests) from what looked like 20 sequential hosts
from within that block. Further inspection of the logs though showed that
it was from really 1 session (validated thru aspsession identifier).

So my question is, does anyone know whether or not that this is some sort of
valid AOL proxy behavior where a request for a single page can go thru
multiple proxies? Spawning multiple proxies to request information that
generally only 1 proxy would get. (ie, a request for a web page resulted in
3 different hosts getting different parts of the page, all off of the same
aspsession id)

Or am I just high.

Like I said before, there was no invalid requests, port scans or anything
else out of the ordinary, except that 1 page request spawned so many
different hosts located in the same netblock requesting web services.

I haven't seen this behavior before coming from AOL, or I just never
realized it before.

Thanks for the insight anyone has to offer.

Michael B. Morell

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Invalid http request for .NET control
    ... looking for the control on the server that the page was served from, ... I tried to put the control in the same virtual directory as the page. ... Although this did not remove the invalid requests, ...
    (microsoft.public.dotnet.framework)
  • Re: Kiss-O-Death
    ... In the PTTI paper a few years back, mention was of a university that repackaged source addresses for some 2000 campus hosts, with result a humungus load on the server. ... I've got two remote clients ... take into account that clients may send requests at 2 second intervals at ... Also, there may be several clients behind a NAT router, in which case all ...
    (comp.protocols.time.ntp)
  • Re: Mail Read Receipt
    ... mail service, ISP, or anything remotely resembling something like AOL. ... According to DGuess, neither Hotmail nor AOL ... recognizes read receipt requests. ... The second is that the recipient's client has to honor the request ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: NewBuddhist forum
    ... NewBuddhist is typical of the Buddhist boards that eventually fold. ... inferred, the belittling and ridiculing of the integrity of others, and ... the flagrant disregard for repeated requests to remain civil, ... The only people left are the hosts and ...
    (talk.religion.buddhism)
  • Re: http://www.worm.com/default.ida? requests
    ... or is this a scanner trying to detect compromised hosts? ... the hosts trying to access it matched almost exactly ... requests over a 30 hour period. ... Oxford University Computing Services ...
    (Incidents)