[Dshield] Java clients showing up in web access logs

Pete Cap peteoutside at yahoo.com
Thu Jul 24 07:54:31 GMT 2008


I'm examining some Apache logs for a customer.  One anomaly that keeps cropping up is records where the User-Agent string is some variation on "Java/", for example, "Java/1.6.0_02."  All of these clients are going after the same resource (a JPEG in this case).  There is no 'referer' for these records.

Legitimate activity involving this JPEG (e.g. where the referer is the page in which it is embedded) is vastly outnumbered by activity involving these Java clients.  For example, on one day there were 33,873 requests for the file, but 33,807 were from the Java clients--they make up about 99% of all requests for the resource.  Previous to this image being posted, Java showed up in the log on average about 25 times.

Can anyone clue me into what exactly is going on?  This is causing issues for the firewall in front of the webserver because it seems to be choking on transferring the JPEG (which is pretty large) over and over.  It looks like some kind of DoS attempt (which is the customer's theory) but I want to make sure it's not something that is merely annoying before I categorize it as "malicious."




More information about the list mailing list