3

I receive a lot of requests like this:

ip-10-80-XXX-XXX.eu-west-1.compute.internal:80 110.249.208.XXX - - [11/Dec/2013:10:27:17 +0000] 
"GET http://mn.sina.com.cn/news/xianchang/2012-06-07/212535.html HTTP/1.1" 200 9515 
"http://mn.sina.com.cn/news/xianchang/list.html" "Mozilla/5.0 (w3660t by Kev++)"

I don't understand what this request want. And what can I do against it using Apache. Currently it seems they are all coming from the same IP address block. I'm using a AWS server. I have some proxy functionality enabled on Apache.

powtac
  • 769
  • 2
  • 7
  • 11

1 Answers1

4

ip-10-80-XXX-XXX.eu-west-1.compute.internal:80 110.249.208.XXX - - [11/Dec/2013:10:27:17 +0000] "GET http://mn.sina.com.cn/news/xianchang/2012-06-07/212535.html HTTP/1.1" 200

They are fishing for an open HTTP proxy, and your 200 response code says they found one.

By operating an open proxy, you're enabling people to launch any number of web attacks through you; it's even worse if you don't include X-Forwarded-For headers with their source IP. Do you really want to enable other people's (potentially harmful) activity with your web server?

If you must keep proxy functionality on the server and want to stop the abuse, at least configure it with one or more of:

  • HTTP Authentication
  • An IP ACL which limits proxied traffic to a trusted block of IPs (incorporating Shadur's comment)
Community
  • 1
Mike Pennington
  • 167
  • 1
  • 11