Jeff Trawick wrote:
On Thu, Sep 2, 2010 at 5:40 PM, J. Greenlees <li...@jaqui-greenlees.net>wrote:
Jeff Trawick wrote:
~snip~
%a is supposed to be an IP address, so what IP address is "::"? I'm only
somewhat familiar with IPv6 but I've never seen "::" before.
http://en.wikipedia.org/wiki/IPv6_address#Notation
One or any number of consecutive groups of zero value may be replaced
with two colons. [ ... ]
The localhost (loopback) address, 0:0:0:0:0:0:0:1, and the IPv6
unspecified address, 0:0:0:0:0:0:0:0, are reduced to ::1 and ::,
respectively.
and it is bogus to have the unspecified address as the client IP address
and if you check MS' RPC mechanism it uses 0.0.0.0 for the ip address to
glom onto ANY available ip address. That suggests that the client giving the
:: address is most likely a bot of some sort.
it could be a legitimate bot for an rpc mechanism, or it could be [ seems
more likely ] to be one meant to find an exploitable weakness.
or, the client could be using an anonymizer service before getting to the
OPs site.
many reasons that it could be the ip unspecified address, only a few of
which are cause for concern to the server admin.
That is the source IP address, which is required for routing replies
(including those during the "connect" flow) back to the client, so I don't
see how this can be 0 simply because of something the client is doing (other
than triggering some sort of bug on the server side, of course).
scanning for an open proxy, the :: would grab the ip address and the
proxy would then be in it's use to route content that may not be
legitimately sent to the destination. or content that it is criminal to
even possess. [ child porn jumps to mind for an example. ]
I suspect that the client is a bot doing a scan for an open proxy, one
handing the :: out for that purpose. or, since it causes the 100% cpu
load, it's the beginnings of a new ddos attack mechanism. we all may
need to explicitly deny unspecified ip addresses from server access
right quick.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
