Mobile app version of vmapp.org
Login or Join
Courtney195

: Same IP Same Time Two Devices Below is the same IP logged in at the exact same time on two different devices. I see this all through my site (with different IPs and having something to do

@Courtney195

Posted in: #IpAddress

Below is the same IP logged in at the exact same time on two different devices. I see this all through my site (with different IPs and having something to do with CFNetwork). I have blocked CFNetwork from getting anything but a 403 but what is happening with the other UA that's getting what they request? How are they doing this? Two CPUs at once? I can't figure it out? Thanks for any help.

99.118.18.150 - - [13/May/2017:14:19:29 -0500] "GET / HTTP/1.1" 200 31268 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.30 (KHTML, like Gecko)"
99.118.18.150 - - [13/May/2017:14:19:30 -0500] "GET /apple-touch-icon-precomposed.png HTTP/1.1" 403 1044 "-" "Safari/12603.1.30.0.34 CFNetwork/811.4.18 Darwin/16.5.0 (x86_64)"
99.118.18.150 - - [13/May/2017:14:19:30 -0500] "GET /apple-touch-icon.png HTTP/1.1" 403 1032 "-" "Safari/12603.1.30.0.34 CFNetwork/811.4.18 Darwin/16.5.0 (x86_64)"
99.118.18.150 - - [13/May/2017:14:19:30 -0500] "GET / HTTP/1.1" 200 31268 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.38 (KHTML, like Gecko) Version/10.0 Mobile/14A300 Safari/602.1"
99.118.18.150 - - [13/May/2017:14:19:30 -0500] "GET /apple-touch-icon-precomposed.png HTTP/1.1" 403 1044 "-" "Safari/12603.1.30.0.34 CFNetwork/811.4.18 Darwin/16.5.0 (x86_64)"
99.118.18.150 - - [13/May/2017:14:19:30 -0500] "GET /apple-touch-icon.png HTTP/1.1" 403 1032 "-" "Safari/12603.1.30.0.34 CFNetwork/811.4.18 Darwin/16.5.0 (x86_64)"


One other thing, in the example above with the 200; what page are they asking for (see above and below)? These have no requests that I see.

99.118.18.150 - - [13/May/2017:14:19:29 -0500] "GET / HTTP/1.1" 200 31268 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.30 (KHTML, like Gecko)

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Courtney195

3 Comments

Sorted by latest first Latest Oldest Best

 

@Alves908

How are they doing this? Two CPUs at once?


If the confusion is how is the same IP address being used by two (or more) seemingly different devices (or servers), then this will happen for all devices behind the same NAT, from small home networks to large company office blocks. All these devices share the same external IP address, but communicate on a different port. The remote port does not seem to be shown in your access log, but this can be enabled with the %{remote}p format string if desired.


in the example above with the 200; what page are they asking for? These have no requests that I see.


The log entry shows the first line of the request headers:


"GET / HTTP/1.1"


This contains the URL-path - a single slash (/). ie. example.com/ (the document root).

10% popularity Vote Up Vote Down


 

@Lee4591628

Found this (see below). So it seems to be from one device.

The Mobile Safari for example try to download the touch or faviconĀ“s from a website

"GET /apple-touch-icon-precomposed.png HTTP/1.1" 404 89 "-"
"MobileSafari/9537.53 CFNetwork/672.0.8 Darwin/14.0.0"
"GET /apple-touch-icon.png HTTP/1.1" 404 89 "-" "MobileSafari/9537.53 CFNetwork/672.0.8 Darwin/14.0.0"
"GET /favicon.ico HTTP/1.1" 404 89 "-" "MobileSafari/9537.53 CFNetwork/672.0.8 Darwin/14.0.0""


While the Mobile Safari retrieve the Website HTML with another User Agent String

"GET / HTTP/1.1" 200 5474 "-" "Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53"


Other iOS Apps did this in the same way, the Mercury Browser for example sends the same request like the Mobile Safari, with a first token Mercury/Version.

From - user-agents.me/cfnetwork-version-list

10% popularity Vote Up Vote Down


 

@Speyer207

It's clearly two bots, running from the same server, one for desktop, one for mobile. Personally, I'd focus more on the improvement of the content than worrying about things like these, they are not important and your hosting should be good enough to handle bots. It's impossible to block them all... they just change IP address and user agent.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme