: What are these many requests referred from Facebook with a changing s= parameter? I just recognised a peak in our access logs and I'm curious how to explain this or if my suggestion how to
I just recognised a peak in our access logs and I'm curious how to explain this or if my suggestion how to explain is right.
There about 600 requests in 3 minutes with a referrer like this:
l.facebook.com/l.php?u=http%3A%2F%2Fwebsite.tld%2F%3Fs%3D23842660217050537&h=ATPGZAKFqpZ7hfY6SgKTDAE3WGgI7-kgN1nq8GtniXf-mxzE8aeMvjTbcze7mNvbjYZrOI5FDHiZa-VwQiW3_jN_sndIh71MOAg5yYrOFoo
The number in the s= parameter within the u= parameter, in this case 23842660217050537, is changing every request. (The s= parameter has no function on the website).
My guess is that somebody is posting many URLs with the changing s parameter in a Facebook chat or post window to make these requests. Maybe to crawl something or maybe DDoS the website. BUT the request on our site even executes the JavaScript and gets tracked by Google Analytics, in addition to this the user-agent and the request language changes with every request. The IP Range those requests where made from are Facebook owned addresses.
Isn't facebook doing a rate limiting for those requests?
Is this some kind of extremely ineffective reflection attack or more likely an attempt to crawl our website with requesting the same page?
More posts by @Holmes151
1 Comments
Sorted by latest first Latest Oldest Best
l.facebook.com is part of facebook's link shim tool. Basically there are two aspects to this, firstly if someone shares a page on Facebook then Facebook servers will do a quick near real time crawl of the page to get relevant information to show as part of the share and then display it to the end user doing the share as a live preview of what their share will appear like to readers of the relevant feed.
The second part of link shim is that all outbound links from Facebook are funneled through an anonimising script at l.facebook.com in order to defeat referer header tracking. This is done for account security as the URL when a person is browsing facebook often contains unique information identifying that particular user which "could" be used for nefarious purposes. As such when you click on a link associated with a share on Facebook the connection is first routed through link shim at l.facebook.com with a unique token identifying the link to redirect to and a random unique token to confirm that it was initiated by someone from within Facebook, at which point the browser is then redirected to the appropriate external link, but with a referer of l.facebook.com without any identifying information that could identify the users Facebook account.
As both aspects are funneled through link shim, both the pre-fetching and the outbound linking it is hard to say exactly which part is hitting your site but based on your question saying that the referer is showing up as l.facebook.com this would appear to be a part of link shim and mean that someone has shared the page or pages from your site on Facebook and a lot of people have clicked on it in a short period of time.
More information about Facebook's link shim tool can be found at www.facebook.com/notes/facebook-security/link-shim-protecting-the-people-who-use-facebook-from-malicious-urls/10150492832835766/
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.