Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
The user Agent is always one of 4:
And one very specific french version of Firefox
[edited by: phranque at 12:37 pm (utc) on Mar. 5, 2008]
[edit reason] IPs removed. See TOS [webmasterworld.com] [/edit]
Or it could be referrer spam: trying to make enough requests to get to the top of your referring sites list (and thus create a linkback to their sites), if you publish your site stats publicly. They wouldn't know or care if you publish the stats; it's automated, so they can just hit a lot of sites with a lot of requests and hope some of them will have an effect.
But really, for either of those, 1000 per second is an awful lot, and RFI attacks are usually more creative than hitting the same page over and over.
I've had some similar situations (nowhere near that many hits, though) where I figured it was someone trying unsuccessfully to learn how to use wget, or someone trying to write their own crawler and it went haywire for a while, unattended.
Do a WhoIs search on some of the IPs. See if the ones that are close together are related, such as at the same hosting co.
Also see if you can find any relationship among the ones that aren't close together.
If they trace to websites rather than ISP's, they might be hacked sites that have been taken over to work as malicious crawlers. I'd guess it's a botnet.
Maybe check some of them to see if they are "badware-flagged" in Google.
Basically, all that is just if you're still curious about what's going on and want to check into it further.
Java is some sort of crawler application like wget. I've never seen it used legitimately, so if you get tired of adding IPs to the firewall, the easiest way to reduce your bandwidth consumption by these is to block requests where the U-A contains Java.
Another idea I had was that, maybe some programming newbie made an "app that tells you your IP", and it does this just buy loading my site (its one of those whats my ip sites) over and over. So maybe the IPs are just regular users who don't realize they are using super #*$!ty software. However I haven't seen anything like this so who knows.
Works very well.
Also I believe when this started, I looked up many of the IPs and they were coming from all over the world.
The IP i JUST firewalled a sec ago was from peru. just looked up another at random, from canada. Hers a group from new zealand. And another from the netherlands. So I don't think blocking by local is going to work. If it is a 'freeware', I need to find it and get it pulled (since it doesn't work anyway, it gets nothing but 403). If its an attack, its not doing any harm but making my access logs huge and being extremely annoying.
OS X Server it turns out does have this adaptive firewall that could be great if I could figure out how to access it myself. I could have php send it these IPs and it would automatically block them for 15 minutes then remove them. Then if they're still at it, block them again :-)
Meanwhile I still never figured out where these hits are coming from. I'm assuming its some crappy java app that "tells you your IP". I can't think of anything else, but I also haven't seen anything solid. And it strange that the hits still come, even though they don't get anything. Even before I firewall them, they are getting nothing but 403 pages. Strange stuff. Oh well.