On Fri, Oct 31, 2008 at 04:58:48PM -0700, Linnea Wren wrote:
>
> I've been doing packet captures, and visually assessing/monitoring other
> counters on the box to try to get a clue as to what, exactly, is the
> problem. Windows performance monitor shows incoming traffic to be minimal
> (1-4% bandwidth utilization), outgoing traffic to be variable (brief
> spikes up to 100% utilization, more commonly ranging around in the 10-50%
> utilization range).
How about the CPU utilisation and disk IO?
[...]
> In one file of 101,428 packets, this kind of traffic accounts for
> approximately 25% of IP conversations, and 50% of TCP streams.
That's a big waste of your bandwidth and webserver capacity...
> A typical example of one of these streams is:
>
> Client:
> -GET http://updatem.360safe.com/safe/laneydefault.html HTTP/1.1
Tha fact that the hostname is in the GET request means that the
client initiating this request was indeed configured to use a
proxy. A normal (direct) request would look like:
GET /safe/laneydefault.html HTTP/1.1
Host: updatem.360safe.com
...
> -HTTP/1.1 302 Object moved
> -Date: Fri, 31 Oct 2008 17:27:38 GMT
> -Server: Microsoft-IIS/6.0
> -P3P: CP="CAO PSA OUR CUSa"
> -X-Powered-By: ASP.NET
> -Location: laneydefault.html
> -Content-Length: 138
> -Content-Type: text/html
> -Cache-control: private
> -<head><title>Object moved</title></head>
> -<body><h1>Object Moved</h1>This object may be found <a
> HREF="laneydefault.html">here</a>.</body>
I would try to make IIS drop connections to unknown hosts, instead
of replying with a redirect. Or at least answer with a 404.
> In that particular stream, the same request & response are repeated over
> and over for 1,282 packets in 3.5 minutes.
That's because of the redirection with a relative URL instead of an
absolute URL.
Say someone has "accidently" configured your server as their proxy
and requests http://updatem.360safe.com/safe/, your IIS is now
telling it that the object has moved to
http://updatem.360safe.com/safe/laneydefault.html which again results in
a redirect to http://updatem.360safe.com/safe/laneydefault.html and so
on. You have created a loop which will of course swamp the server,
depending on the speed at which the client can issue the requests.
> Source IP addresses are all over the place - I can't block this at our
> firewall.
>
> The server has Cisco's Security Agent, but so far I haven't figured out if
> there's a way to configure a rule to drop this traffic.
If you have an IDP, you might be able to create a ruleset that allows
requests with a header like "Host: yoursite.com" and blocks all other
requests. Or maybe some application layer filter in your firewall might
be able to do that.
> So, is this evidence that people are trying to proxy through us? If not,
> what then? I feel I could google for how to remediate this much more
> effectively if I had a better idea of what search terms would be
> applicable...
Yes, it seems like there are people probing your webserver to see
whether it is an open proxy. I'm not a webmaster, but I can imagine that
that's "normal" traffic these days :( The real problem I think is the
loop that the 302 is creating. Have your server issue a 404 for every
unknown site and I think you will see an improvement in your servers
reachability.
Cheers,
Sake
