In January I had this ip address make 2600 requests for mydomain.com/a within a couple of minutes. Today same IP address requested mydomain/a 8600 times. They then came back and took 244 pages, mostly same pages over and over again. The reffer for the IP has been disabled and its from a european IP block.
I just blocked the IP, but I am sitting here wondering what would be the purpose ? Since its directed at "mydomain" and not just an IP is this an attempt to crash my server?
If they are, then you are being hit by a server infected with the NIMDA virus looking for another server to infect. If you're not hosted on NT/IIS then you don't need to worry, but it is a waste of bandwidth and makes the logs a pain to go through.
It looks like a person running a bot at me. I dug into my logs and found this order of things.
IP address XX.XX.XX.XX does a search on google.com.pl on a keyword (I see the refer in the logs). They are using IE6 , WIN NT and they view a few pages like a user would.
Then a minute or so later the same IP sends a bot that grabs up pages "244 today repeating the same pages" while that is happening it is also making a bad request for "http://mydomain.com/a" 8600 of that bad request today. All that happens in less then 5 minutes.
I was visted twice in January and today was the first for February.
Whats funny is the keywords they are used. One is a two word phrase that I sit at number 4 out of 500,000. But the other is a one word search that I sit at 470 out of 2 million. They clicked that link at 470.
But in total today 8900 requests to the server in less then 5 minutes is a bit much.
It's kind of difficult to say what they're up to, as a DOS it's a pretty feeble attempt, maybe it's just a bad script. Is there some reason why you don't just ban them if it's the same IP doing the damage?
I banned them earlier today. This one is just wierd,and I am a little paranoid. Your right it would be a pretty weak DOS attack. Where I live when the ground moves you tend to brace yourself for a serious shaking.