Apache 访问日志中记录的 IP 地址的可靠性如何?

发布于 2024-09-29 17:44:11 字数 279 浏览 5 评论 0原文

我的网站正遭受明显的机器人攻击,该机器人在一秒钟内获取特定 URL 5 次,等待 2 分钟,然后重复。该请求每次都来自相同的 IP 地址,并且我没有观察到任何恶意负载,因此我不确定它是否是某种形式的垃圾邮件机器人。 User-Agent 声称是 IE6,在这种明显非人类的请求模式中总是值得怀疑。

无论如何,我已经对 IP 进行了反向查找,并找到了该域的联系人,但我是否在浪费时间尝试与他们取得联系?如果是垃圾邮件机器人,IP地址不会被欺骗吗? HTTP 垃圾邮件发送者中的 IP 地址欺骗有多常见? HTTP 协议有什么困难吗?

My website is suffering from an apparent bot which GETs a particular URL 5 times within a second, waits exactly 2 minutes, then repeats. The request is coming from the same IP address each time, and I have not observed any malicious payload, so I'm undecided on whether it is some form of spam bot. The User-Agent claims to be IE6, which is always suspicious in such an obviously non-human request pattern.

Anyway, I have done a reverse lookup on the IP and have located a contact at that domain, but am I wasting my time trying to get in touch with them? If it's a spam bot, won't the IP address be spoofed? How common is IP address spoofing in HTTP spammers? Does the HTTP protocol make it difficult in any way?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

酷遇一生 2024-10-06 17:44:11

如果您欺骗 IP,则您的 http 请求将不会得到任何响应。除此之外,http 协议不会使欺骗变得更容易或更困难。

但是,IP 地址将是源和您的服务器之间的最后一个代理服务器或负载均衡器的 IP 地址,因此,如果它是恶意的,我预计它们会通过一些开放代理,您将无法轻松追踪他们回来了。

如果只是意外的配置错误,那么您的机会就更大。

他们返回的 URL 是否存在于您的网站上?

您能否将 Web 服务器配置为仅向来自该地址的 GET 返回错误(401 Forbidden、500 内部服务器错误、301 永久重定向)?如果另一端开始出现错误,也许他们会调查并修复问题)

If you spoof the IP, you won't get any response to your http request. Other than that, the http protocol doesn't make spoofing any easier or harder.

However, the IP address will be that of the last proxy server or load balancer between the source and your server, so if it is malicious, I would expect they're going through some open proxy and you won't easily be able to trace them back.

If it's just accidental misconfiguration, you're in with more of a chance.

Does the URL they are returning exist on your site?

Can you configure your web server to return an error (401 Forbidden , 500 Internal server error, 301 permanent redirect, perhaps) only to GETs from that address? If the other end starts getting errors maybe they'll investigate and fix things)

℉服软 2024-10-06 17:44:11

您应该联系该域的负责人。通常,IP 地址不会被欺骗(这很难)。最有可能的是,其中一台计算机被恶意软件感染,他们肯定想知道这一点。这更多的是为了帮助他们,而不是为了你自己的网络安全。

You should contact the persons in charge of the domain. Usually, the IP address won't be spoofed (that's hard). Most probably, one of there computers got infected by malicious software, and they definitely want to know that. It's more about doing a favour to them than about your own network security.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文