Re: [Sks-devel] Dealing with abusive clients

[Kristian Fiskerstrand]

On July 20, 2017 7:18:52 PM GMT+02:00, Valentin Sundermann <address@hidden> 
wrote:
>>>> Here's a quick excerpt from the logs:
>>>> 216.241.59.205 - - [20/Jul/2017:14:46:51 +0000] "GET / HTTP/1.1"
>200
>>>> 5285 "-" "-"
>>>> 216.241.59.205 - - [20/Jul/2017:14:46:53 +0000] "GET / HTTP/1.1"
>200
>>>> 5285 "-" "-"
>>>> 216.241.59.205 - - [20/Jul/2017:14:46:56 +0000] "GET / HTTP/1.1"
>200
>>>> 5285 "-" "-"
>>>> 216.241.59.205 - - [20/Jul/2017:14:46:58 +0000] "GET / HTTP/1.1"
>200
>>>> 5285 "-" "-"
>>>>
>>>> This particular client is making continuous requests for the main
>page
>>>> of my server every 2-3 seconds. They're not making any queries for
>keys,
>>>> submitting keys, etc., but are only requesting the main page.
>>>>
>>>> This has been going on since at least the 15th of July.
>>>>
>>>> I haven't observed any other odd traffic, so it seems unlikely that
>a
>>>> botnet is involved. Maybe a script that has gone awry?
>
>I see these requests too, but from a different IP. I noticed them 1-2
>months ago but wasn't able to find the origin of these requests (they
>got sorted into a general logfile because of the "missing" Host field).
>
>The IP that is querying my server belongs to Amazon's AWS. Requests
>look
>the same, every 2 seconds a "GET /".
>
>
>>> There might be a clue in the host header if you could log that? I
>use
>>> this nginx config to do that (and not log the client IP)
>> 
>> Good idea. I'll see if I can tweak the logs.
>
>I log HTTP Host headers and it uses localhost in each requests. Still
>no
>idea what this could be.
>
>Best regards,
>Valentin Sundermann

Ditto, I'm also seeing similar requests from amazon ec2 
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3