Some one keep "hitting" index page, but not other pages

  • flamey
  • Born
  • Born
  • flamey
  • Posts: 4

Post 3+ Months Ago

A month ago I noticed hike in hits on my forum, from 1500-2000 a day to 8000-10000+. Without any visible change in hosts, registrations or activity on the forum. After looking through the counter stats, and raw access logs, it looks like one single IP keeps knocking into the forum's root - http forum . xxxxxxx . org

here's a typical raw access log line:
Code: [ Select ]
85.xxx.xxx.xxx - - [12/Jan/2010:16:23:30 -0500] "GET /?sid=580eccd99d3830f0b109d1d797b4742d HTTP/1.1" 200 26067 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
I pulled all lines for this IP from raw access log to see what resources are being accessed (this is for half day log):
Code: [ Select ]
4332  /
4    /viewforum.php
4    /favicon.ico
4    /images/rss-feed-10x10.png
4    /viewtopic.php
3    /templates/NoseBleed/NoseBleed.css
3    /templates/NoseBleed/NoseBleed.js
2    /templates/NoseBleed/translit2.js
2    /templates/NoseBleed/sel2reply.js
2    /templates/NoseBleed/show_layer.js
1    /viewonline.php
1    /login.php
1    /index.php
  1. 4332  /
  2. 4    /viewforum.php
  3. 4    /favicon.ico
  4. 4    /images/rss-feed-10x10.png
  5. 4    /viewtopic.php
  6. 3    /templates/NoseBleed/NoseBleed.css
  7. 3    /templates/NoseBleed/NoseBleed.js
  8. 2    /templates/NoseBleed/translit2.js
  9. 2    /templates/NoseBleed/sel2reply.js
  10. 2    /templates/NoseBleed/show_layer.js
  11. 1    /viewonline.php
  12. 1    /login.php
  13. 1    /index.php
Thus, single "user" (script i assume) just keeps accessing the root, where is just list of forum sections, no other content.

As I understad it's too few hits for a typical DDoS attack, even though at some point phpBB2 (updated to the latest version) was giving up with error about too many DB connections - I saw it once myself, even though noone complaned yet. they're no accessing login.php, so it's not bruteforce password trys. and viewtopic.php isn't accessed, so it's not content stealing.

so what's going on? what they could possibly want, and how would I fight it?


I did blocked the IP once, but the next day it resumed with different IP from different country. Though, I blocked it again last night, and it seems to stop for now.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Why didn't you post the IPs? Someone is attacking you & you're protecting them. I don't understand that.
  • flamey
  • Born
  • Born
  • flamey
  • Posts: 4

Post 3+ Months Ago

will knowing it help you with suggestions?

I'm not protecting them. I've got all the info on the IP i could get - country, service provider, ..
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

You still didn't answer my question as to why you censored the IPs. Instead you asked me a question. Forget about it now. I'll let someone else answer.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I'm not sure if this is what's happening, but since I use Opera daily this makes sense to me. :)

That version of Opera has a feature called speed dial. It's basically a built-in tab that displays thumbnails of your favorite websites.

What that link doesn't show you, is that when you right-click these thumbnails there is a context-menu option labeled "Reload Every". Generally, Opera caches a screenshot of the website so it doesn't need to download the website every time the user opens a new tab, but that reload every option makes it possible to have Opera automatically refresh that screenshot every X seconds or minutes.

If the user already has the resources the page uses cached using long term expires/etc headers, there's no reason for Opera to re-download those resources when it refreshes the screenshot, it would only need to request the page being displayed in the thumbnail.

I think this might be what's happening in your case. The way I would find out is by creating an HTML page explaining all of this and then redirecting all requests from that IP to this special page.

Hopefully the user will notice something different next time they open their speed dial (maybe use bright colors or something to grab their attention) then read it and look into their "reload every" time.

Post Information

  • Total Posts in this topic: 5 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.