Ask HN: Why would a botnet access my server like that?
My website gets a lot of 'traffic' from seemingly random ips, all requesting the same (broken) url. It seems I have been targeted by a botnet, but I don't understand the goal of those requests: they are clearly not trying to attack, and not fast enough to be a DDOS.
I get on average one of those requests every couple of seconds. This has been going on for more than a year now. Any idea what those are?
Here is an example from my log (ip and server name redacted):
xxx.xxx.xxx.xxx myserver.com - [13/Sep/2016:06:34:49 +0200] "GET /invalid HTTP/1.1" 403 345 "-" "Mozilla/5.0" xxx.xxx.xxx.xxx myserver.com - [13/Sep/2016:06:35:10 +0200] "GET /invalid HTTP/1.1" 403 345 "-" "Mozilla/5.0"
5 comments
[ 1.8 ms ] story [ 24.0 ms ] threadFirst look at where the IPs geolocate to. Do most of them come from a particular country or region? A particular ISP/AS? Maybe a particular type of ISP (eg mobile carrier)? Further, you might look at when these requests are made, how frequently they recur from the same IP, etc.
Second, do a packet capture and look at the full request. Maybe it'll have a hostname or telltale header, etc.