External websites in logs

Question

I have a website, let's call it www.good.com.

I've been getting a lot of requests to www.good.com under completely different URLs than www.good.com. I suspect this traffic is also causing some site performance issues. I'm running a .NET solution on IIS for reference.

I have a logger that is constantly picking up 404 errors for external hosts. Below are examples of some of the log data:

Original URL: http://open.tracker.thepiratebay.org/announce?info_hash=%9D%E7%E6%10%911%1Eh%8D%BAX%02%27%C3x5%F0%18%DF%E8&peer_id=%2DSD0100%2D%E6%B2%15Ql%C0%14%5D%3Dx%20%8C&ip=192.168.2.23&port=8956&uploaded=1019809319&downloaded=1019809319&left=192985&numwant=200&key=9135&compact=1
Request URL: http://open.tracker.thepiratebay.org/announce?info_hash=%9D%E7%E6 %911 h%8D%BAX '%C3x5%F0 %DF%E8&peer_id=-SD0100-%E6%B2 Ql%C0 ]=x %8C&ip=192.168.2.23&port=8956&uploaded=1019809319&downloaded=1019809319&left=192985&numwant=200&key=9135&compact=1
Request Path: /announce
Referrer URL: None
User host address: 222.210.108.246
Server: WWW-GOOD-COM-SERVER
User: 
IsAuthenticated: False
Authentication Type: 
Thread account name: NT AUTHORITY\NETWORK SERVICE
User Agent: Bittorrent

I also see other weird requests from all kinds of other domains, like

vl.ff.avast.com
graph.facebook.com
eztv.tracker.thepiratebay.org
trackhub.appspot.com

Almost always the IP involved is from outside the US.

What I don't understand, is why my server is trying to fulfill requests for any of these urls when it is obviously not the host.

I need to know:

Why could this be happening?
Is this dangerous?
How can I prevent it, if possible?

When you say "my server is trying to fulfill requests", is he actually servicing something when receiving these requests (which would indeed indicate a dangerous problem) or is he replying with 404 page not found each time (if so it would merely be just some "noise" from automated bots scanning the Internet). — WhiteWinterWolf, Mar 27 '15 at 15:31
@GZBK in nearly all circumstances, it would just pop up with a non-informative 404 page. One quirk is that occasionally the frequency seems to occasionally cause some database deadlocks that I'm trying to work around. I'm not 100% on that scenario, but it is likely generating a generic non-informative 500 error page then. — Zachary Dow, Mar 27 '15 at 15:33
@GZBK Note, that hitting those urls in a browser doesn't hit my web application normally. Which is why I wonder how they hit my application period. — Zachary Dow, Mar 27 '15 at 15:38
Maybe [this](https://isc.sans.edu/forums/diary/Are+You+Piratebay+thepiratebayorg+Resolving+to+Various+Hosts/19175/) will seem familiar to you? — WhiteWinterWolf, Mar 27 '15 at 15:39
Just saw you second comment, I will write an answer for the technical part of it. — WhiteWinterWolf, Mar 27 '15 at 15:40

score 15 · Accepted Answer · answered Mar 27 '15 at 16:03

When you type the URL in your browser, the browser will mainly do two things with it:

Resolve the host name to get the associated IP address to be contacted, this allow the browser to send the request to the right server,
Put the host name which has been actually typed in the Host HTTP header, this allows the server to send an appropriate reply in case several websites are hosted (each website will be identified thanks to this header).

However, what must be understood is that this Host header is just a plain-text header. A simple test:

Initiate a telnet connection toward you web server:

telnet example.com 80

Request a web page using such commands:

GET /my-fake-page HTTP/1.0

Host: my-fake-host.fake

Then you need type enter two times to validate the end of your input.

Then in your logs you should see an incoming request for the URL http://my-fake-host.fake/my-fake-page.

As per the root cause of the issue, the same problem seem to affect other people with no clearly defined root cause, maybe a DNS server issue somewhere in China possibly related to their national firewall, maybe a DDoS botnet, but there does not seem to be any confirmation.

These requests are not dangerous by themselves. However, in the mentioned thread some people were reporting a significant impact on the performance due to the increased load, possibly causing a denial of service. For some other it was just part of the "Internet noise" appearing in the logs.

As i went through the mentioned discussion, in case of load issue a few solutions were proposed, the one mainly applied being blocking source IP based on the originating country.

The telnet portion was totally the missing piece! I understood that http requests are plain text, but I thought that was the only piece of the puzzle. Thank you so much! — Zachary Dow, Mar 27 '15 at 17:09
I've heard accusations that China does this intentionally to DDOS sites they don't like. Those sites then block all Chinese IPs to stop the traffic, which China is happy with because they didn't want citizens visiting the site anyway. — Buge, Mar 28 '15 at 04:22

score 5 · Answer 2 · answered Mar 27 '15 at 20:44

Since GZBK covered why, I will cover the single simple solution to minimize this and related problems that I and others such as StevenC use. Make your first or default virtual host small fast and light, returning errors on all requests (I have been known to allow a basic css and related resources). This has the advantage of minimizing resource consumption, easier separation of logs, earlier notice of other dns issues, and if you make this a practice on development servers it minimizes dependency on untracked resources.

score 3 · Answer 3 · answered Mar 28 '15 at 02:11

as @GZBK said, this happens because for whatever reason, people are being sent to your server when they try to open those sites. This has happened to many others, and is likely the GFW doing its dirty thing.

Here is a nice post about some other guy who had the same thing happen to him.

You can use this site to check if the dns is pointed to your server.

External websites in logs

3 Answers3

Linked