Wireshark-users: Re: [Wireshark-users] this traffic pattern indicates what?
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 1 Nov 2008 10:16:30 +0100
On Fri, Oct 31, 2008 at 04:58:48PM -0700, Linnea Wren wrote: > > I've been doing packet captures, and visually assessing/monitoring other > counters on the box to try to get a clue as to what, exactly, is the > problem. Windows performance monitor shows incoming traffic to be minimal > (1-4% bandwidth utilization), outgoing traffic to be variable (brief > spikes up to 100% utilization, more commonly ranging around in the 10-50% > utilization range). How about the CPU utilisation and disk IO? [...] > In one file of 101,428 packets, this kind of traffic accounts for > approximately 25% of IP conversations, and 50% of TCP streams. That's a big waste of your bandwidth and webserver capacity... > A typical example of one of these streams is: > > Client: > -GET http://updatem.360safe.com/safe/laneydefault.html HTTP/1.1 Tha fact that the hostname is in the GET request means that the client initiating this request was indeed configured to use a proxy. A normal (direct) request would look like: GET /safe/laneydefault.html HTTP/1.1 Host: updatem.360safe.com ... > -HTTP/1.1 302 Object moved > -Date: Fri, 31 Oct 2008 17:27:38 GMT > -Server: Microsoft-IIS/6.0 > -P3P: CP="CAO PSA OUR CUSa" > -X-Powered-By: ASP.NET > -Location: laneydefault.html > -Content-Length: 138 > -Content-Type: text/html > -Cache-control: private > -<head><title>Object moved</title></head> > -<body><h1>Object Moved</h1>This object may be found <a > HREF="laneydefault.html">here</a>.</body> I would try to make IIS drop connections to unknown hosts, instead of replying with a redirect. Or at least answer with a 404. > In that particular stream, the same request & response are repeated over > and over for 1,282 packets in 3.5 minutes. That's because of the redirection with a relative URL instead of an absolute URL. Say someone has "accidently" configured your server as their proxy and requests http://updatem.360safe.com/safe/, your IIS is now telling it that the object has moved to http://updatem.360safe.com/safe/laneydefault.html which again results in a redirect to http://updatem.360safe.com/safe/laneydefault.html and so on. You have created a loop which will of course swamp the server, depending on the speed at which the client can issue the requests. > Source IP addresses are all over the place - I can't block this at our > firewall. > > The server has Cisco's Security Agent, but so far I haven't figured out if > there's a way to configure a rule to drop this traffic. If you have an IDP, you might be able to create a ruleset that allows requests with a header like "Host: yoursite.com" and blocks all other requests. Or maybe some application layer filter in your firewall might be able to do that. > So, is this evidence that people are trying to proxy through us? If not, > what then? I feel I could google for how to remediate this much more > effectively if I had a better idea of what search terms would be > applicable... Yes, it seems like there are people probing your webserver to see whether it is an open proxy. I'm not a webmaster, but I can imagine that that's "normal" traffic these days :( The real problem I think is the loop that the 302 is creating. Have your server issue a 404 for every unknown site and I think you will see an improvement in your servers reachability. Cheers, Sake
- Follow-Ups:
- Re: [Wireshark-users] this traffic pattern indicates what?
- From: Sake Blok
- Re: [Wireshark-users] this traffic pattern indicates what?
- Next by Date: [Wireshark-users] Interpreting g711 modulated signals
- Next by thread: Re: [Wireshark-users] this traffic pattern indicates what?
- Index(es):