Mobile app version of vmapp.org
Login or Join
Phylliss660

: What could be causing heavy bursts of traffic from single IP address to old inactive URL Looking at Google Analytics recently I noticed a strange phenomenon. For the past few weeks I had 3

@Phylliss660

Posted in: #Botattack #WebTraffic

Looking at Google Analytics recently I noticed a strange phenomenon. For the past few weeks I had 3 unique users making 600 requests for an URL that is not being used anymore.

I investigated further by looking at some access logs, and I could see one of these burst of requests. It's coming from a single IP address (using IE10.0 on Windows 7) and making a legitimate request for an existing URL. But after that initial request, I see 10-27 requests for that old inactive URL, one request every second on average. After that there is another legitimate request for another URL, 10-27 requests for the old URL, etc. and the pattern repeats itself.

I contacted the company that the IP address belongs to, but couldn't get any reason for the odd requests. Could it be that their browser has some plugin or malware or something that is sending these bursts of requests when they visit my site? Has anybody seen anything like this before? Besides being just annoying in general, it's really messing up my Google Analytics.

Here's a sample from the log (I changed the domain name and some other stuff because they are really long):

193.183.71.20 - - [25/Nov/2014:01:41:55 -0600] "GET /swe/ HTTP/1.1" 200 14009 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:41:56 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:41:58 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:41:59 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:00 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:00 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:01 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:02 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:03 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:04 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:04 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:05 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:06 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:07 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:07 -0600] "POST /search-redirect.php HTTP/1.1" 302 - "http://www.my-site/swe/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:08 -0600] "GET /swe/search/2014 HTTP/1.1" 200 14830 "http://www.my-site/swe/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:09 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/search/2014" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:09 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:10 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:11 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:12 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:13 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:14 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:15 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:15 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:16 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:17 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
193.183.71.20 - - [25/Nov/2014:01:42:18 -0600] "GET /swe/a=3408 HTTP/1.1" 200 14050 "http://www.my-site/swe/a=3408" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"


As you can see, there is one initial normal page request, followed by 13 weird ones. Then there's another legitimate request (I have a .htaccess rewrite that does a 302 redirect there, but that seems to work fine for the other 99.99% of the users, so that shouldn't have anything to do with anything).

The IP belongs to a legitimate and well known company in Sweden who are among the sites' target audience.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Phylliss660

1 Comments

Sorted by latest first Latest Oldest Best

 

@LarsenBagley505

By and large these appear to be innocent. From the looks of things other than the search post which appears as though it is more than likely legitimate either the user is refreshing the page constantly, which depending on the site could be believable, or there is something wrong on the users browser such as malware on the machine or browser reconfiguration which is causing the browser to refresh constantly. The user agent string appears to be a legit IE sequence, although this can be spoofed, and the timeframe of one a second and a few spots of two a second also tends to make me think client side glitch. This does not appear to be a genuine attack, more than likely someone has some malware on their machine and when they try to access a website the browser keeps refreshing on them.

I wouldn't be overly concerned at this point about it unless the constant refreshed start to affect your sites performance or you see more unusual or numerous POST requests.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme