0

I have a website that is being hit with invalid URL requests by thousands of distinct IP addresses, never the same one used twice. Most of them are in a few ranges of IP addresses and often just go up sequentially.

Could this be a zombie botnet of compromised devices, or is it possible the attacker is spoofing these addresses?

The clustering of IP addresses into a handful of ranges seems inconsistent with what I would expect from random devices across the world being compromised and part of a botnet.

User agents are all legitimate and quite varied, but I know that is simple to spoof.

It doesn't feel like a DDOS attack as it is "just" a few thousand per hour. If they really wanted to DDOS it seems like they would crank the volume up more. Once I adjusted some exception handling I was able to get my server to resume being responsive to legitimate use.

I suspect it is a malicious (poorly constructed) crawler/spider.

Is IP address spoofing easily done and common now in these scenarios?

Pat James
  • 141
  • 1
  • 6
  • 2
    Why do you think that all these requests are caused by the same attacker? Such scanning scripts are easily available and can be run independently from each other by multiple attackers. – Steffen Ullrich Oct 03 '19 at 20:33
  • @SteffenUllrich I've been running this site for over a decade and this is the first time I've seen this pattern. I suspect it of being one coordinated effort due to the often sequential IP addresses, and there are some consistent patterns in the request headers, all of this across about 10,000 distinct IP addresses so far. – Pat James Oct 03 '19 at 23:34
  • 1
    Do the requested URL's look like ones made by run-of-the-mill scanners, similar to the those posted at https://serverfault.com/questions/384836/what-are-these-weird-access-requests ? – mti2935 Oct 03 '19 at 23:45

1 Answers1

1

It doesn't feel like a DDOS attack as it is "just" a few thousand per hour.

That's not always the case. There are attacks e.g. like the RUDY attack that don't have to generate a large amount of traffic but yet they are very effective.

Could this be a zombie botnet of compromised devices, or is it possible the attacker is spoofing these addresses?

It could be a botnet, or even a single script that spawns a few threads and routes them through proxies.

Is IP address spoofing easily done and common now in these scenarios?

If the attacker wanted to get some results back from his/her attack then IP spoofing wouldn't be useful since the traffic wouldn't return back to the attacker - so in this case he/she would have to use a botnet or proxies. However if the goal is a Denial of Service then it's possible, since packet-level IP spoofing can be easily implemented.

game0ver
  • 585
  • 4
  • 12
  • Assuming IP address spoofing is in play, I guess it has to be a weak DDOS attack if they never get any response back. On the other hand, I did see them shift their approach in response to changes I made to thwart them, so they must be getting some information back. – Pat James Oct 03 '19 at 23:36
  • 1
    It's very unlikely IP spoofing is in play if you're seeing HTTP requests. Those would require a completed TCP 3-way handshake, and with IP spoofing the SYNACK would never reach the right machine. – Teun Vink Oct 04 '19 at 04:28