Re: Chinese HTTP ACKs
From: Frank Knobbe (frank_at_knobbe.us)
To: firstname.lastname@example.org Date: Wed, 09 Feb 2005 16:13:53 -0600
On Wed, 2005-02-09 at 10:08 -0800, David Gillett wrote:
> I'm seeing a handful of addresses in the 126.96.36.199/23 space
> periodically send 2-3 ACKs from port 80 to semi-random addresses
> within our Class B space. The TCP checksum on these packets is
> [...] Anybody else seeing similar?
Not quite. However, we have observed the Sohu Search engine
(www.sohu.com) doing some funky stuff. It checks existing pages and
non-existing pages (like /abcdefghijklm.html) with GET and HEAD
requests. In those requests are tons of really funky cookies. At first
glance, I thought the search engine has gone bonkers, or was badly
coded. However, certain traits seem more purposeful (like checking for
the non-existing page). It appears more of a fingerprinting/recon than a
spidering of an existing site.
Oh, and they also performed proxy checks (trying GET http://www.sohu.com
against the tested hosts). Not really a feature of a search engine
These accesses were observed from 188.8.131.52/24 and 184.108.40.206/24.
You might want to keep an eye on those subnets. Has anyone else noticed
attempts from Sohu or has some more information he can share here?
- application/pgp-signature attachment: This is a digitally signed message part