Host infected or NATing for or normal protection service?

Question

As part of my Apache logs, I can frequently observe a sequence of consecutive GET like :

46.235.158.196 - Requesting a file
Some other host requesting the exact same file within the same second with the same user agent

Being said that :

46.235.158.196 is said belonging to Symantec
But said by the SpamHaus infected or NATing for a computer infected with matsnu
The other host IP varies but is systematically owned by one or another reknown institution

I am wondering wether it is a legal protection service from symantec or a sign that the other host is infected or NATing too ?

Thanks Michael for that information. Which... actually saves 26 bytes in my htaccess... not to say about other miscellaneous inconveniencies... ;) — aCOSwt, Aug 03 '18 at 16:31

score 1 · Answer 1 · answered Aug 04 '18 at 16:25

The pattern of a security organization or cloud IP doing the same request immediately before implies some form of link following. Probably it is legit security technology. Its not a NAT or proxy if different IPs are doing the requests.

Only of concern if it is abusing your service. There are approaches to rate limiting or intrusion detection you may employ if it is a problem.

Host infected or NATing for or normal protection service?

1 Answers1