Microsoft flooding sites with fake traffic

Coleman Kane cokane at cokane.org
Wed Feb 20 22:21:17 EST 2008 

Arc Riley wrote:
> Do you happen to be running google analytics on your site?
No, I'm just parsing the logs. I use awstats
(http://awstats.sourceforge.net) for collecting stats from my logs. I'm
not really familiar with many of google.com's services.

--
Coleman Kane

>
> On Wed, Feb 20, 2008 at 6:08 PM, Coleman Kane <cokane at cokane.org
> <mailto:cokane at cokane.org>> wrote:
>
>     Coleman Kane wrote:
>     > Arc Riley wrote:
>     >
>     >> Hey guys
>     >>
>     >> Do yourselves a favor and search your logs for connections from
>     >> 131.107.* 65.52.* 65.53.* 65.54.* and 65.55.*
>     >>
>     >> I found a good % of traffic we got, not reported to Google
>     Analytics
>     >> so I didn't see it sooner, was referred from
>     http://search.live.com/
>     >> for search queries involving pornography, cars, drugs, and random
>     >> gibberish.  The landing pages from these searches were subversion
>     >> changesets, source code in the Trac browser, and other places those
>     >> search queries certainly don't exist in.
>     >>
>     >> All of it, well 97.2%, from the above two subnets, belonging to
>     >> Microsoft.  It'd be humorous if I didn't just purchase a new colo
>     >> server to handle the large volume of traffic pysoy.org
>     <http://pysoy.org>
>     >> <http://pysoy.org> gets.  I can't tell if MS is trying to skew the
>     >> statistics in favor of MSIE/Live/etc or if it's conducting a
>     denial of
>     >> service attack against free software project sites, perhaps
>     both (two
>     >> birds with one stone?).
>     >>
>     >> If you see the similar childish behavior in your logs, please
>     join me
>     >> in blocking them and being very vocal as to why.
>     >>
>     >>
>     > An interesting find. I just checked my sites and I see the same
>     thing,
>     > however most of the search queries seem to be pretty pertinent
>     to the
>     > content of the pages that they reference. It is almost like
>     theres some
>     > script running on a farm of windows computers that just performs
>     > single-word searches on their Windows LiveSearch database, and
>     visits
>     > the results (posting, of course, the LiveSearch referral in the
>     request).
>     >
>     > Here's my distribution:
>     >
>     > cat apachelogs/*  | grep live.com <http://live.com>  | cut -d\
>      -f1 | cut -d. -f1,2 | sort
>     > | uniq -c | sort -rn
>     >
>     >     308 65.55
>     >      10 131.107
>     >       4 85.159
>     >       3 142.161
>     >       2 71.164
>     >       2 68.95
>     >       2 4.246
>     >       2 207.224
>     >       1 86.144
>     >       1 84.202
>     >
>     > There are many, many more with single visits, but I left them
>     off the
>     > list because they probably represent normal livesearch users.
>     >
>     > --
>     > Coleman Kane
>     >
>     Went a little further and found that all my 65.55 traffic comes
>     from the
>     65.55.165 class C. I decided to pass all the visitors to the host
>     program and found that all of the visitors have PTR records like this:
>     livebot-65-55-165-87.search.live.com
>     <http://livebot-65-55-165-87.search.live.com>. The 131.107 traffic
>     was all from
>     two machines: tide525.microsoft.com <http://tide525.microsoft.com>
>     and tide526.microsoft.com <http://tide526.microsoft.com>
>
>     Maybe some others could look at their logs and pull information on the
>     other subnets?
>
>     --
>     Coleman Kane
>
>

More information about the gnhlug-discuss mailing list