Wireshark-users: [Wireshark-users] this traffic pattern indicates what?
Hey... Our web server has intermittent failure to respond.
The web server guy describes the cause as “The server’s getting
hammered” I’ve been doing packet captures, and visually assessing/monitoring
other counters on the box to try to get a clue as to what, exactly, is the
problem. Windows performance monitor shows incoming traffic to be minimal
(1-4% bandwidth utilization), outgoing traffic to be variable (brief spikes up
to 100% utilization, more commonly ranging around in the 10-50% utilization
range). The web server guys swear up and down that the web server is
not an open proxy. And the packet captures do not show traffic where
source IP is our server and destination port is 80, so I believe that traffic
confirms that the server is not an open proxy. But, the packet captures contain LOTS of occurrences of “GET
http://www.notUs.com”, which I
interpret as ATTEMPTS to proxy through our server. I’m not sure though… For instance, “GET http://www.zanox-affiliate.com”,
“GET http://www.baidu.com”, “GET
http://updatem.360safe.com”. The web server responds to these GETs with a specific file
that says “The object has moved.” In one file of 101,428 packets, this kind of traffic
accounts for approximately 25% of IP conversations, and 50% of TCP streams. A typical example of one of these streams is: Client: -GET http://updatem.360safe.com/safe/laneydefault.html
HTTP/1.1 -Accept: */* -UA-CPU: x86 -Accept-Encoding: gzip, deflate -User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1) -Host: updatem.360safe.com -Proxy-Connection: Keep-Alive -Cookie: ASPSESSIONIDCCSRQQRT=MIPEEEIBKINGMJHKJKKAGAJG Server: -HTTP/1.1 302 Object moved -Date: Fri, 31 Oct 2008 17:27:38 GMT -Server: Microsoft-IIS/6.0 -P3P: CP="CAO PSA OUR CUSa" -X-Powered-By: ASP.NET -Location: laneydefault.html -Content-Length: 138 -Content-Type: text/html -Cache-control: private -<head><title>Object
moved</title></head> -<body><h1>Object Moved</h1>This object
may be found <a HREF=""
In that particular stream, the same request & response
are repeated over and over for 1,282 packets in 3.5 minutes. Source IP addresses are all over the place – I can’t
block this at our firewall. The server has Cisco’s Security Agent, but so far I
haven’t figured out if there’s a way to configure a rule to drop
this traffic. So, is this evidence that people are trying to proxy through
us? If not, what then? I feel I could google for how to remediate
this much more effectively if I had a better idea of what search terms would be
applicable… TIA for any and all thoughts… Linnea |
- Prev by Date: Re: [Wireshark-users] Good checksum / Bad checksum
- Previous by thread: Re: [Wireshark-users] Good checksum / Bad checksum
- Index(es):