I originally thought this was a botnet that had simply got it wrong but it was a bit weird. So far I've only seen it on one site, but since that was drawn to my attention by the perpetrator's stupidity I may have missed others.

A common situation is that a site is hit by several IPs, one after the other or simultaneously, in an attempt to seek out weaknesses or inject viruses into databases. Often they hit several sites within a short time, often several per second.

In the current case the site was hit by a number of IPs at random intervals between 10 and 30 seconds, making it look "human". The IPs, however, were forwarded through a proxy - a single IP which seemed to be a single compromised broadband location in Ireland.

The attack wasn't prolonged. It went through a dozen or so pages (response 200) and then gave up after a few 403s after it hit a trap which blocked the proxy IP. Whatever it was took pages, CSS, JS and pics - a typical browser.

The situation would probably have gone unnoticed except that it was brought to my attention by (presumably) the bot's human driver. I present a 403 response page to possibly-human bots that includes a report form. I get perhaps half a dozen a week from these across about 80 sites, usually from form spammers or auto-submit bots but once in a while genuine. In this case the form was submitted with an obvious human complaining of being blocked from the web site.

As usual I began to check out the report: unlike typical form spammers this one had an email address to respond to, albeit yahoo, and was not advertising anything. As I began to work through the problem in the logs I found the strange results that led to the botnet conclusion.

And yet... As I began to check a few of the forwarded-for IPs things began to look stranger still. First suspicion was raised because one IP was from a US MIL domain, albeit probably broadband (and, of course, although worrying we know the military has been compromised before). Next couple were pretty ordinary but then I got a couple from IANA Reserved and Unallocated blocks. And that should not happen if it were a simple botnet.

A further oddity was the referer, which comprised false domains in each of four new attempts (including the report form) (one referer was actually an IP). After the first referer in each new access group the others within the group were genuine in-site ones.

My current conclusion is that a single operator, possibly even the proxy machine's real (and hence uncompromised) owner was just feeding random IPs into the proxy. To what purpose I have no idea. It seems likely that it was indeed a real person using a real browser through a jiggered proxy, probably on a windows machine judging by the UA. Where the referers came in I don't know.

I had previously not bothered to include "dead" IANA blocks in my IP blocklist. I do now!

Proxy IP: 86.47.33.nnn
Date: 16/Dec/2009
UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322)