Microsoft flooding sites with fake traffic

Arc Riley arcriley at gmail.com
Wed Feb 20 19:58:54 EST 2008 

Do you happen to be running google analytics on your site?

On Wed, Feb 20, 2008 at 6:08 PM, Coleman Kane <cokane at cokane.org> wrote:

> Coleman Kane wrote:
> > Arc Riley wrote:
> >
> >> Hey guys
> >>
> >> Do yourselves a favor and search your logs for connections from
> >> 131.107.* 65.52.* 65.53.* 65.54.* and 65.55.*
> >>
> >> I found a good % of traffic we got, not reported to Google Analytics
> >> so I didn't see it sooner, was referred from http://search.live.com/
> >> for search queries involving pornography, cars, drugs, and random
> >> gibberish.  The landing pages from these searches were subversion
> >> changesets, source code in the Trac browser, and other places those
> >> search queries certainly don't exist in.
> >>
> >> All of it, well 97.2%, from the above two subnets, belonging to
> >> Microsoft.  It'd be humorous if I didn't just purchase a new colo
> >> server to handle the large volume of traffic pysoy.org
> >> <http://pysoy.org> gets.  I can't tell if MS is trying to skew the
> >> statistics in favor of MSIE/Live/etc or if it's conducting a denial of
> >> service attack against free software project sites, perhaps both (two
> >> birds with one stone?).
> >>
> >> If you see the similar childish behavior in your logs, please join me
> >> in blocking them and being very vocal as to why.
> >>
> >>
> > An interesting find. I just checked my sites and I see the same thing,
> > however most of the search queries seem to be pretty pertinent to the
> > content of the pages that they reference. It is almost like theres some
> > script running on a farm of windows computers that just performs
> > single-word searches on their Windows LiveSearch database, and visits
> > the results (posting, of course, the LiveSearch referral in the
> request).
> >
> > Here's my distribution:
> >
> > cat apachelogs/*  | grep live.com  | cut -d\  -f1 | cut -d. -f1,2 | sort
> > | uniq -c | sort -rn
> >
> >     308 65.55
> >      10 131.107
> >       4 85.159
> >       3 142.161
> >       2 71.164
> >       2 68.95
> >       2 4.246
> >       2 207.224
> >       1 86.144
> >       1 84.202
> >
> > There are many, many more with single visits, but I left them off the
> > list because they probably represent normal livesearch users.
> >
> > --
> > Coleman Kane
> >
> Went a little further and found that all my 65.55 traffic comes from the
> 65.55.165 class C. I decided to pass all the visitors to the host
> program and found that all of the visitors have PTR records like this:
> livebot-65-55-165-87.search.live.com. The 131.107 traffic was all from
> two machines: tide525.microsoft.com and tide526.microsoft.com
>
> Maybe some others could look at their logs and pull information on the
> other subnets?
>
> --
> Coleman Kane
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20080220/656f9fe6/attachment.html

More information about the gnhlug-discuss mailing list