httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <li...@jaqui-greenlees.net>
Subject Re: [users@httpd] What IP address is this log entry coming from? (Is "::" a valid IP address?)
Date Thu, 02 Sep 2010 22:11:59 GMT
Jeff Trawick wrote:
> On Thu, Sep 2, 2010 at 5:40 PM, J. Greenlees <lists@jaqui-greenlees.net>wrote:
> 
>> Jeff Trawick wrote:
>> ~snip~
>>
>>  %a is supposed to be an IP address, so what IP address is "::"? I'm only
>>>>> somewhat familiar with IPv6 but I've never seen "::" before.
>>>>>
>>>> http://en.wikipedia.org/wiki/IPv6_address#Notation
>>>>
>>>> One or any number of consecutive groups of zero value may be replaced
>>>> with two colons. [ ... ]
>>>>
>>>> The localhost (loopback) address, 0:0:0:0:0:0:0:1, and the IPv6
>>>> unspecified address, 0:0:0:0:0:0:0:0, are reduced to ::1 and ::,
>>>> respectively.
>>>>
>>>>
>>> and it is bogus to have the unspecified address as the client IP address
>>>
>> and if you check MS' RPC mechanism it uses 0.0.0.0 for the ip address to
>> glom onto ANY available ip address. That suggests that the client giving the
>> :: address is most likely a bot of some sort.
>> it could be a legitimate bot for an rpc mechanism, or it could be [ seems
>> more likely ] to be one meant to find an exploitable weakness.
>>
>> or, the client could be using an anonymizer  service before getting to the
>> OPs site.
>>
>> many reasons that it could be the ip unspecified address, only a few of
>> which are cause for concern to the server admin.
> 
> 
> That is the source IP address, which is required for routing replies
> (including those during the "connect" flow) back to the client, so I don't
> see how this can be 0 simply because of something the client is doing (other
> than triggering some sort of bug on the server side, of course).
> 
scanning for an open proxy, the :: would grab the ip address and the 
proxy would then be in it's use to route content that may not be 
legitimately sent to the destination. or content that it is criminal to 
even possess. [ child porn jumps to mind for an example. ]

I suspect that the client is a bot doing a scan for an open proxy, one 
handing the :: out for that purpose. or, since it causes the 100% cpu 
load, it's the beginnings of a new ddos attack mechanism. we all may 
need to explicitly deny unspecified ip addresses from server access 
right quick.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message