Wireshark-users: [Wireshark-users] this traffic pattern indicates what?

Date Prev · Date Next · Thread Prev · Thread Next
From: "Linnea Wren" <lwren@xxxxxxxxxxx>
Date: Fri, 31 Oct 2008 16:58:48 -0700

Hey...

 

Our web server has intermittent failure to respond.  The web server guy describes the cause as “The server’s getting hammered”

 

I’ve been doing packet captures, and visually assessing/monitoring other counters on the box to try to get a clue as to what, exactly, is the problem.  Windows performance monitor shows incoming traffic to be minimal (1-4% bandwidth utilization), outgoing traffic to be variable (brief spikes up to 100% utilization, more commonly ranging around in the 10-50% utilization range).

 

The web server guys swear up and down that the web server is not an open proxy.  And the packet captures do not show traffic where source IP is our server and destination port is 80, so I believe that traffic confirms that the server is not an open proxy.

But, the packet captures contain LOTS of occurrences of “GET http://www.notUs.com”, which I interpret as ATTEMPTS to proxy through our server.

 

I’m not sure though…

 

For instance, “GET http://www.zanox-affiliate.com”, “GET http://www.baidu.com”, “GET http://updatem.360safe.com”.

The web server responds to these GETs with a specific file that says “The object has moved.”

 

In one file of 101,428 packets, this kind of traffic accounts for approximately 25% of IP conversations, and 50% of TCP streams.

 

A typical example of one of these streams is:

Client:

-GET http://updatem.360safe.com/safe/laneydefault.html HTTP/1.1

-Accept: */*

-UA-CPU: x86

-Accept-Encoding: gzip, deflate

-User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

-Host: updatem.360safe.com

-Proxy-Connection: Keep-Alive

-Cookie: ASPSESSIONIDCCSRQQRT=MIPEEEIBKINGMJHKJKKAGAJG

Server:

-HTTP/1.1 302 Object moved

-Date: Fri, 31 Oct 2008 17:27:38 GMT

-Server: Microsoft-IIS/6.0

-P3P: CP="CAO PSA OUR CUSa"

-X-Powered-By: ASP.NET

-Location: laneydefault.html

-Content-Length: 138

-Content-Type: text/html

-Cache-control: private

-<head><title>Object moved</title></head>

-<body><h1>Object Moved</h1>This object may be found <a HREF=""

 

In that particular stream, the same request & response are repeated over and over for 1,282 packets in 3.5 minutes.

 

Source IP addresses are all over the place – I can’t block this at our firewall.

The server has Cisco’s Security Agent, but so far I haven’t figured out if there’s a way to configure a rule to drop this traffic.

 

So, is this evidence that people are trying to proxy through us?  If not, what then?  I feel I could google for how to remediate this much more effectively if I had a better idea of what search terms would be applicable…

 

TIA for any and all thoughts…

 

Linnea