2

Backdrop (a bit of a read)

We created a shortened url redirector (using asp.net Url Routing with a catch-all for 404 to do routing) in which bar codes are scanned from devices and then redirected to a destination site from mobile devices. We log all incoming requests for statistical analysis. Since last Monday night, there has been an influx of requests and subsequent redirects to the destination sites. Normally I would be saying "WooHoo!" but the influx appears to be too consistent and from varying IPs (but in batches) and synchronous requests for differing urls. There are only a set of valid redirect urls BUT the influx is only hitting those specified urls (i.e. does not appear to be brute force attack). The urls are publically available but could only be sourced from either internal staff or from scanning from codes in a published magazine. No codes have been given out internally.

The majority of the user agents from the requests are basically coming from, apparently, iPhones and the majority of IPs are local which adds to the mystery (will show sample logged requests and stats). To mitigate the influx, we first implemented an ip blocking rule (on a code level) to add the ip to a block list if 3 attempts came in under 90 seconds (pulled that rule out of hat :oP) and we started to catch some. If blocked, we basically terminated session. But this rule could have affected legitimate users (as it affected internal staff...working on white list but not done yet) so we decided on another tactic, interstitial.

We implemented a landing page instead of a redirect where the user needs to interact and click a button to continue. We still had ip blocking rules in place for abuses. So if legit user came through, they just need to click button to continue. If the "visitor" was on the block list, we implemented a captcha routine to see if they were legit in their intention to go on (not a great user experience admittedly).

I also implemented robots.txt with deny all. I even placed a hidden link in the landing page to see if was a crawler but so far, I haven't tracked any traffic through it.

My tech partner had thought that it could be a glitch in actual apple devices/apps/browsers that cause it to reload saved scanned urls (bar code reader apps like RedLaser, i-nigma, etc...) but it just seems odd that this continues to happen.

So even after implementing the landing page, we're still getting the traffic that is landing on the page but not continuing/clicking through. That is why I think it's an attack, not for compromising the site but possible competitor to skew site statistics? The stats are important in the business but it is legit stats that count. We don't want to mess up our clients. It could also be scapers for content but with the user agents and the my trap not working, I don't know...could it actually be humans doing the clicking/scanning...lost.

Has anyone experienced anything like this before?

    Some stats over a period of approximately 2.5 days...

            Count   HTTP_USER_AGENT
        2924    Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146
        506 Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
        424 Mozilla/5.0 (iPod; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146
        401 Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A523
        202 Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B141
        180 Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B144
        157 Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A403
        138 Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A405
        119 Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B142
        119 Mozilla/5.0 (iPod; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
        111 Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A551
        91  Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B143
        88  Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A405
        86  Mozilla/5.0 (iPod; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A405
        86  Mozilla/5.0 (iPod; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A523
        69  Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B208
        56  Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A525
        54  Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329
        47  Mozilla/5.0 (iPod; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A403
        46  Mozilla/5.0 (iPod; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B144
        45  Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6
        43  Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B145
        30  Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A550
        27  Mozilla/5.0 (iPod; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B141
        22  Mozilla/5.0 (Linux; Android 4.1.1; SGH-I747M Build/JRO03L) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.169 Mobile Safari/537.22
        21  Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAM3)
        17  Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
        16  Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B176
        13  Mozilla/5.0 (iPod; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B176
        13  Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.8+ (KHTML, like Gecko) Version/6.0.0.600 Mobile Safari/534.8+
        13  Qrafter/7.0 CFNetwork/609.1.4 Darwin/13.0.0

    For these stats, I took out source IPs (for courtesy)but referenced which ones were same...just a small sample out approximate 6.5K requests

    Count   REMOTE_ADDR HTTP_USER_AGENT
    5   A.B.C.D Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
    13  A.B.C.D Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A523
    2   A.B.C.D Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146
    6   A.B.C.D Mozilla/5.0 (iPod; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146
    1   B.C.D.E Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
    3   B.C.D.E Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B145
    10  B.C.D.E Mozilla/5.0 (iPod; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A406
    15  C.D.E.F Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
    31  C.D.E.F Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A405
    20  C.D.E.F Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B141
    2   D.E.F.G Mozilla/5.0 (iPod; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
    6   D.E.F.G Mozilla/5.0 (iPod; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A403
    2   D.E.F.G Mozilla/5.0 (iPod; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A523
    18  E.F.G.H Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A550
    49  E.F.G.H Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146
    15  E.F.G.H Mozilla/5.0 (iPod; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
    13  E.F.I.J Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
    11  E.F.I.J Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A403
    11  E.F.I.J Mozilla/5.0 (iPod; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A405
    3   E.F.I.J Mozilla/5.0 (iPod; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206


Sample of typical sequntial flood

URL HTTP_USER_AGENT REMOTE_ADDR LogDate
http://SITEURL/UoetZx   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:45 AM
http://SITEURL/2NedO0   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:45 AM
http://SITEURL/33hCWl   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:44 AM
http://SITEURL/e11LzG   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:44 AM
http://SITEURL/bQx5Bu   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:43 AM
http://SITEURL/BtrZ3m   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:43 AM
http://SITEURL/cxfmr1   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:43 AM
http://SITEURL/KztehQ   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:42 AM
http://SITEURL/O19sq3   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:42 AM
http://SITEURL/e6Dlwb   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:42 AM
http://SITEURL/GGQ4ZO   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:41 AM
http://SITEURL/jjr_rM   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    A.B.C.D 3/21/13 1:40 AM
http://SITEURL/yIzVel   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:40 AM
http://SITEURL/D8M0_Y   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:39 AM
http://SITEURL/-GqaX9   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:38 AM
http://SITEURL/9o0Bv8   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:37 AM
http://SITEURL/65_ce8   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:35 AM
http://SITEURL/33hCWl   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:34 AM
http://SITEURL/2NedO0   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:33 AM
http://SITEURL/UoetZx   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:33 AM
http://SITEURL/fknpPf   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:31 AM
http://SITEURL/tLEI3S   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:30 AM
http://SITEURL/MgOvvm   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:29 AM
http://SITEURL/MlJVua   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:28 AM
http://SITEURL/UcRIZj   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:27 AM
http://SITEURL/xZy-KP   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:26 AM
http://SITEURL/sXswln   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:25 AM
http://SITEURL/aQJrWx   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:24 AM
http://SITEURL/_sBrUw   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:23 AM
http://SITEURL/V7H9mK   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:22 AM
http://SITEURL/lchtkL   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:21 AM
http://SITEURL/WY7g1T   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:20 AM
http://SITEURL/bQx5Bu   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:19 AM
http://SITEURL/FznevZ   Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146    B.C.D.E 3/21/13 1:17 AM
Dave
  • 740
  • 1
  • 6
  • 17
  • Just have some beer man! )) – NoWar Mar 21 '13 at 18:13
  • 1
    Yea...tried that! :o) Stats and traffic would look good for clients but it is just too suspicious. I'm thinking manual scrapers getting content but using phones...hmmm – Dave Mar 21 '13 at 18:21
  • +1 Because you have tried beer, man! hahahahaa!!! Do u have some awesome content to steal? :) – NoWar Mar 21 '13 at 18:22
  • Thanks Peretz...would drink more if I kept getting +'s. Content is not really anything major but old addage is "content is king" and the more you have indexed, the more Google luvs ya. Scrapers are alive and well but I don't think I'm dealing with a sophisticated bot or app since they don't continue on upon reaching intersticial. – Dave Mar 21 '13 at 19:38

0 Answers0