Re: Chinese HTTP ACKs
From: Frank Knobbe (frank_at_knobbe.us)
Date: 02/09/05
- Previous message: David Gillett: "Chinese HTTP ACKs"
- In reply to: David Gillett: "Chinese HTTP ACKs"
- Next in thread: Peter Kerr: "Re: Chinese HTTP ACKs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: gillettdavid@fhda.edu Date: Wed, 09 Feb 2005 16:13:53 -0600
On Wed, 2005-02-09 at 10:08 -0800, David Gillett wrote:
> I'm seeing a handful of addresses in the 61.143.210.0/23 space
> periodically send 2-3 ACKs from port 80 to semi-random addresses
> within our Class B space. The TCP checksum on these packets is
> incorrect.
> [...] Anybody else seeing similar?
Not quite. However, we have observed the Sohu Search engine
(www.sohu.com) doing some funky stuff. It checks existing pages and
non-existing pages (like /abcdefghijklm.html) with GET and HEAD
requests. In those requests are tons of really funky cookies. At first
glance, I thought the search engine has gone bonkers, or was badly
coded. However, certain traits seem more purposeful (like checking for
the non-existing page). It appears more of a fingerprinting/recon than a
spidering of an existing site.
Oh, and they also performed proxy checks (trying GET http://www.sohu.com
against the tested hosts). Not really a feature of a search engine
either :)
These accesses were observed from 61.135.131.0/24 and 220.181.26.0/24.
You might want to keep an eye on those subnets. Has anyone else noticed
attempts from Sohu or has some more information he can share here?
Cheers,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: David Gillett: "Chinese HTTP ACKs"
- In reply to: David Gillett: "Chinese HTTP ACKs"
- Next in thread: Peter Kerr: "Re: Chinese HTTP ACKs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
