Microsoft flooding sites with fake traffic

Coleman Kane cokane at cokane.org
Wed Feb 20 18:08:23 EST 2008 

Coleman Kane wrote:
> Arc Riley wrote:
>   
>> Hey guys
>>
>> Do yourselves a favor and search your logs for connections from
>> 131.107.* 65.52.* 65.53.* 65.54.* and 65.55.*
>>
>> I found a good % of traffic we got, not reported to Google Analytics
>> so I didn't see it sooner, was referred from http://search.live.com/
>> for search queries involving pornography, cars, drugs, and random
>> gibberish.  The landing pages from these searches were subversion
>> changesets, source code in the Trac browser, and other places those
>> search queries certainly don't exist in.
>>
>> All of it, well 97.2%, from the above two subnets, belonging to
>> Microsoft.  It'd be humorous if I didn't just purchase a new colo
>> server to handle the large volume of traffic pysoy.org
>> <http://pysoy.org> gets.  I can't tell if MS is trying to skew the
>> statistics in favor of MSIE/Live/etc or if it's conducting a denial of
>> service attack against free software project sites, perhaps both (two
>> birds with one stone?).
>>
>> If you see the similar childish behavior in your logs, please join me
>> in blocking them and being very vocal as to why.
>>
>>     
> An interesting find. I just checked my sites and I see the same thing,
> however most of the search queries seem to be pretty pertinent to the
> content of the pages that they reference. It is almost like theres some
> script running on a farm of windows computers that just performs
> single-word searches on their Windows LiveSearch database, and visits
> the results (posting, of course, the LiveSearch referral in the request).
>
> Here's my distribution:
>
> cat apachelogs/*  | grep live.com  | cut -d\  -f1 | cut -d. -f1,2 | sort
> | uniq -c | sort -rn
>
>     308 65.55
>      10 131.107
>       4 85.159
>       3 142.161
>       2 71.164
>       2 68.95
>       2 4.246
>       2 207.224
>       1 86.144
>       1 84.202
>
> There are many, many more with single visits, but I left them off the
> list because they probably represent normal livesearch users.
>
> --
> Coleman Kane
>   
Went a little further and found that all my 65.55 traffic comes from the
65.55.165 class C. I decided to pass all the visitors to the host
program and found that all of the visitors have PTR records like this:
livebot-65-55-165-87.search.live.com. The 131.107 traffic was all from
two machines: tide525.microsoft.com and tide526.microsoft.com

Maybe some others could look at their logs and pull information on the
other subnets?

--
Coleman Kane

More information about the gnhlug-discuss mailing list