[Dshield] Tens of thousands of http gets for the same .gif/.jpg

Tony Nichols tony at mail.applog.com
Thu Nov 7 20:18:24 GMT 2002

Could it be one of those websites that update the images every few
seconds like a weather map? Or maybe a webcam ?

T o n y

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of J. Foobar
Sent: Thursday, November 07, 2002 5:17 AM
To: list at dshield.org
Subject: [Dshield] Tens of thousands of http gets for the same .gif/.jpg

I'm hoping that someone can steer me in a useful
direction on this.

We recently starting doing some serious audits of
internal web use, based largely on bandwidth usage and connection count
information parsed from our firewall logs.  I work for an organization
with about 100,000 internal network-connected workstations.

What I have been periodically seeing is a workstation
that racks up huge amounts of http connections in a
24-hour period.  A close look at the traffic dump for
the user shows that the workstation performed tens of
thousands of http gets on a web-based .jpg or .gif in
a short about of time.  Today I found one that racked
up 50,000 plus, all for the same .gif, in under an

I have found four of these in the past couple of
weeks, all different internal systems with no rhyme or
reason to the "targets."  One was a doppler weather
map on a local news web site, another was a background
texture .gif on an obscure IT portal site.  In at
least one case, the user surfed to the target site
during business hours and probably left his/her
browser open.  Then, several hours later after he/she
almost certainly had gone home, 100000+ http gets for
the same .jpg starting at 9pm and lasting a few hours.
 Then, it stopped.

Browser configuration problem, flaky behavior inherent
to IE (mostly 5.0 and 5.5), malware of some sort? 
What does this smell like?

I am really not much a client systems guy, especially
when it comes to MS-schtuff, so I'm really not sure
what to look for when I discover these.

Thanks in advance,

Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

Tracking #: E20736E1B502DB4CB3BD39746C7FEEB21C8FDE5F

More information about the list mailing list