Speaking of blocking VPN's.

Forum Moderators: open

Message Too Old, No Replies

Speaking of blocking VPN's.

User-Agent Workstream?

SumGuy

11:32 pm on Feb 15, 2024 (gmt 0)

I got what looked like a legit hit today from 85.255.25.153. At first glance it's a hit from Kenya. Spur tells me that it's the Cato Network VPN. This looks like the first hit ever seen from any Cato IP. The hit is just to my landing page, but it asks for all the right files, no further clicking around my site. No referrer. But the user-agent is this:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 WorkStream/120.1.6099.268 Safari/537.36

Workstream?

A new string fragment to add to my user-agent blocking strategy?

Cato Networks is AS13150, about 37K IP's (35 aggregated CIDR's) of which, turns out, I was blocking none of them. I'm going to put these IP's in my block-and-log list (any hits from these IP's get silently dropped in the router, any humans behind the hits will get browser time-outs).

martinibuster

5:12 am on Feb 17, 2024 (gmt 0)

Interesting! If I were to speculate I'd say that WorkStream might be related to a software or for monitoring a worker, like WorkStream is the app that tracks the worker who is out to spam or whatever. I used to see referrals that indicated the person was clicking on a link from a dashboard behind a login.

SumGuy

12:51 pm on Feb 20, 2024 (gmt 0)

Now that I'm dropping 85.255.25.153 in my router, today I see a sequence of alternating port-80 and port-443 hits from that IP.

24 hits that have geometrically increasing time interval between hits over a 46 second time-span. I don't think this is normal behavior for a browser trying to reach an unresponsive website.