We have a (dynamic) WebApplication and are trying to solve some perfomance issues: When look at our our Apache-Logs it seems that a specific user agent (Safari) is sending multiple IDENTICAL requests during 1 second.
It may have to do with the implemtation of Pipelining in the mobile Version of Safari.
The log entries look like the following lines:
188.102.30.71 - - [16/Jan/2017:21:20:41 +0100] "GET /an/existing/path?a=b >HTTP/1.1" 200 407380 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2 like Mac OS >X) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0 Mobile/14C92 >Safari/602.1" /0 /487136
188.102.30.71 - - [16/Jan/2017:21:20:42 +0100] "GET / HTTP/1.1" 200 12876 "-" >"MobileSafari/602.1 CFNetwork/808.2.16 Darwin/16.3.0" /0 /79180
188.102.30.71 - - [16/Jan/2017:21:20:42 +0100] "GET / HTTP/1.1" 200 12876 "-" >"MobileSafari/602.1 CFNetwork/808.2.16 Darwin/16.3.0" /0 /31172
188.102.30.71 - - [16/Jan/2017:21:20:42 +0100] "GET / HTTP/1.1" 200 12876 "-" >"MobileSafari/602.1 CFNetwork/808.2.16 Darwin/16.3.0" /0 /25425
"and more of them..."
It seems that for 1 real user action we receive the identical request for another resource (here the /) several times (8 - 10 times).
Is this the Apple-Implementation of Pipelining? We don't see other User Agents with this behaviour.
Is there a way to prevent these requests? We use Apache for delivering our content.
I am glad for any hints and suggestions which may help to solve this problem.
Tino
Related
I just got a quick question. My apache access log has random IPs from China, Japan, etc. It looks like they are trying to execute scripts from where they are.
The log looks like this: 171.117.10.221 - - [29/Jan/2018:08:05:04 -0800] "GET /ogPipe.aspx?name=http://www.dongtaiwang.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.3$
1.202.79.71 - - [29/Jan/2018:08:05:06 -0800] "GET /ogPipe.aspx?name=http://www.epochtimes.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (K$
113.128.104.239 - - [29/Jan/2018:08:05:11 -0800] "GET /ogPipe.aspx?name=http://www.wujieliulan.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Ge$
117.14.157.148 - - [29/Jan/2018:08:05:17 -0800] "GET /ogPipe.aspx?name=http://www.ntdtv.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) AppleWebKit/$
110.177.75.106 - - [29/Jan/2018:08:05:37 -0800] "GET /ogPipe.aspx?name=http://www.dongtaiwang.com/ HTTP/1.1" 404 3847 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/$
221.11.229.244 - - [29/Jan/2018:08:05:57 -0800] "GET /ogPipe.aspx?name=http://www.epochtimes.com/ HTTP/1.1" 404 3847 "-" "Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) Appl$
182.101.57.39 - - [29/Jan/2018:08:06:03 -0800] "GET /ogPipe.aspx?name=http://www.epochtimes.com/ HTTP/1.1" 404 3847 "-" "Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) Apple$
113.128.104.88 - - [29/Jan/2018:08:06:13 -0800] "GET /ogPipe.aspx?name=http://www.epochtimes.com/ HTTP/1.1" 404 3847 "-" "Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) Appl$
106.114.65.1 - - [29/Jan/2018:08:06:14 -0800] "GET /ogPipe.aspx?name=http://www.wujieliulan.com/ HTTP/1.1" 404 3847 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45$
113.128.104.148 - - [29/Jan/2018:08:06:31 -0800] "GET /ogPipe.aspx?name=http://www.ntdtv.com/ HTTP/1.1" 404 3847 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46$
114.221.124.84 - - [29/Jan/2018:08:06:45 -0800] "GET /ogPipe.aspx?name=http://www.ntdtv.com/ HTTP/1.1" 404 3847 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 $
172.104.108.109 - - [29/Jan/2018:08:17:50 -0800] "GET / HTTP/1.1" 302 830 "-" "Mozilla/5.0" (None of these are my IPs, that's why I am putting them out there.)
I used an IP lookup site to see where they are. Does anyone have any advice towards what I should do?
It's a new tls prober from GFW.
The https://example.com/ogPipe.aspx is a tool to bridge some blocked news website in china.(you can see the target websites in log lines)
GFW indeeds to detect/figure out it.
Here's my splunk search result of these 3 days.
remote_ip.png
user_agent.png
The features of the prober.
Source ip is a one-shot address
User-Agent is simulated to Chrome/Safari/Firefox
TLS Protocol is TLSv1.2
Short answer: Ignore them.
Long answer: There are plenty of vulnerabilities in various web servers / application frameworks that hackers want to abuse. Those originating IPs may not be the hackers themselves but victims of some malware / trojan horses remotely controlled by hackers. Those victims were used by hackers to dig if your server is vulnerable for a more promising rewards, e.g. access to your database or passwords. If you are hosting a .net framework application, look closely for any announcement of vulnerability and apply security patches if available. Especially if you have a "ogPipe.aspx" file serving, you should examine every line of code in it to see whether there is security loophole. As shown in your server log, it responded http code 404 meaning that you don't serve ogPipe.aspx, so you are safe. As a prevailing security advice, look closely for any announcement of vulnerability (from your software vendor, e.g. Apache / Microsoft) and apply security patches if available.
I am hosting a small test website in ec2 and there should be only 2-3 test users with valid login to my server. However, I am seeing a lot of junk logs in my apache access_log(
/var/log/httpd/access_log):
198.2.208.231 - - [13/Dec/2013:21:11:07 +0000] "GET http://ib.adnxs.com/ttj?id=1995383&position=above HTTP/1.0" 302 - "http://www.minbusiness.net/?p=611" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16"
173.234.32.69 - - [13/Dec/2013:21:11:07 +0000] "GET http://ads.creafi-online-media.com/st?ad_type=iframe&ad_size=728x90,468x60§ion=5172215&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://lookfashionstyle.com/index.php?option=com_content&view=category&layout=blog&id=42&Itemid=98&limitstart=24" "Mozilla/4.0 (compatible; MSIE 6.0; WINDOWS; .NET CLR 1.1.4322)"
198.136.31.98 - - [13/Dec/2013:21:11:07 +0000] "GET http://ad.tagjunction.com/st?ad_type=ad&ad_size=468x60§ion=4914662&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://www.benzec.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
....
Not exactly sure what's going on... Am I being attacked?
thanks!
One possibility is that your server is configured as an open proxy and some ad scams are proxying traffic through it to hide their real origin.
There is alot of bots around the web attempting all kinds of exploits,
I spawned my web server just yesterday and already received lots of spamming/exploit attempts. Like the ones in the thread I've just created ( and not only, quite a few others.. Cloudflare is helping but it doesn't catch it all, at least not in the free version, which is what I am using to get some protection):
Exploit Attempts in nginx access log, Some logs without IP, what to do about it?
I am building an offline AppCache app.
When I launch the app by clicking a home screen icon I get these 3 requests:
[18/Nov/2013:13:33:53 +0100] "GET /tso/cache.manifest HTTP/1.1" 304 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11B554a"
[18/Nov/2013:13:34:00 +0100] "GET /tso/apple-touch-icon-120x120.png HTTP/1.1" 200 18482 "-" "Web/1.0 CFNetwork/672.0.8 Darwin/14.0.0"
[18/Nov/2013:13:34:00 +0100] "GET /tso/apple-touch-startup-image-640x1136.png HTTP/1.1" 304 - "-" "Web/1.0 CFNetwork/672.0.8 Darwin/14.0.0"
When offline, iPhone prompts me to disable airplane mode or turn on WiFi. Other than that, the app works just fine.
Any idea what are those two other CFNetwork requests and how to either disable them or make them use the cached, offline assets? I believe iOS 6 and earlier versions of iOS 7 didn't have this behavior.
Thank you
In Apache access.log, I am used to this kind of access log line:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326
I was checking some apache access logs this morning and found something I'm not used to:
192.168.1.10- - [20/Feb/2013:00:00:45 +0000] "POST /form/... 404 200 252 "-" "-" 435835
There are multiple status code. Does-it mean the request was sended multiple times (something like a failed/retry mechanism?
I noticed some slowing on my server earlier today and when I looked into the log files, in between legitimate site requests are blank requests like this:
108.212.75.60 - - [13/Sep/2012:16:56:28 -0400] "-" 408 - "-" "-"
108.212.75.60 - - [13/Sep/2012:16:56:28 -0400] "-" 408 - "-" "-"
108.212.75.60 - - [13/Sep/2012:16:56:28 -0400] "-" 408 - "-" "-"
108.212.75.60 - - [13/Sep/2012:16:56:28 -0400] "-" 408 - "-" "-"
Does anybody have any idea what these might be or how I can prevent them? They seem to be taking up a decent chunk of my server resources.
408 is because of timeout,
look for MaxClients and KeepAliveTimeout , 24 and 5 is nice (in order)
if this is a managed server, your admin should look for these.
if these requests are coming from a single ip or a bunch of ips, and if you think this is an attack on purpose, you may ban them via .htaccess.