[Dshield] Tens of thousands of http gets for the same .gif/.jpg

J. Foobar jfoobar1 at yahoo.com
Thu Nov 7 10:16:57 GMT 2002


I'm hoping that someone can steer me in a useful
direction on this.

We recently starting doing some serious audits of
internal web use, based largely on bandwidth usage and
connection count information parsed from our firewall
logs.  I work for an organization with about 100,000
internal network-connected workstations.

What I have been periodically seeing is a workstation
that racks up huge amounts of http connections in a
24-hour period.  A close look at the traffic dump for
the user shows that the workstation performed tens of
thousands of http gets on a web-based .jpg or .gif in
a short about of time.  Today I found one that racked
up 50,000 plus, all for the same .gif, in under an
hour.

I have found four of these in the past couple of
weeks, all different internal systems with no rhyme or
reason to the "targets."  One was a doppler weather
map on a local news web site, another was a background
texture .gif on an obscure IT portal site.  In at
least one case, the user surfed to the target site
during business hours and probably left his/her
browser open.  Then, several hours later after he/she
almost certainly had gone home, 100000+ http gets for
the same .jpg starting at 9pm and lasting a few hours.
 Then, it stopped.

Browser configuration problem, flaky behavior inherent
to IE (mostly 5.0 and 5.5), malware of some sort? 
What does this smell like?

I am really not much a client systems guy, especially
when it comes to MS-schtuff, so I'm really not sure
what to look for when I discover these.

Thanks in advance,
Justin

__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2




More information about the list mailing list