我在我的 Apache 日志中发现了以下有趣的流量:
213.159.213.236 - - [16/Dec/2019:03:02:03 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
213.159.213.236 - - [16/Dec/2019:03:02:19 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
213.159.213.236 - - [16/Dec/2019:03:02:25 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
213.159.213.236 - - [16/Dec/2019:03:02:40 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
213.159.213.236 - - [16/Dec/2019:03:02:48 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]"
213.159.213.236 - - [16/Dec/2019:03:03:06 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
213.159.213.236 - - [16/Dec/2019:03:04:22 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
213.159.213.236 - - [16/Dec/2019:03:04:36 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
213.159.213.236 - - [16/Dec/2019:03:04:51 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9"
213.159.213.236 - - [16/Dec/2019:03:05:06 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
213.159.213.236 - - [16/Dec/2019:03:05:26 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246"
213.159.213.236 - - [16/Dec/2019:03:05:37 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
213.159.213.236 - - [16/Dec/2019:03:07:23 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]"
213.159.213.236 - - [16/Dec/2019:03:07:37 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]"
213.159.213.236 - - [16/Dec/2019:03:07:57 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36"
213.159.213.236 - - [16/Dec/2019:03:08:07 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
213.159.213.236 - - [16/Dec/2019:03:08:22 -0500] "GET / HTTP/1.1" 200 3797 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01"
213.159.213.236 - - [16/Dec/2019:03:08:26 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
213.159.213.236 - - [16/Dec/2019:03:09:13 -0500] "GET / HTTP/1.1" 200 3797 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01"
213.159.213.236 - - [16/Dec/2019:03:09:24 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
213.159.213.236 - - [16/Dec/2019:03:09:35 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
这是什么意思?这个攻击者假装运行 2003 年的 Bork 版 Opera,或者在 Ubuntu 10.04 上使用 Firefox 3.6,到底想达到什么目的?难道只是为了毒害我可能拥有的有关访问者的网站统计信息吗?如果是这样,那么欺骗更可能的用户代理(如 IE 8.0)不是很有意义吗?
我希望您能提供一些见解。
答案1
在处理恶意流量源时,系统管理员可以按照两个现成的指标来禁止某人:
- IP地址
- 用户代理字符串
通常,规则为“ if $IP = x.x.x.x AND $USER_AGENT = yyy then return 403 and exit”。因此,恶意扫描程序会尝试确保其 IP 和用户代理在请求之间都不同:
- 他们使用分布式僵尸设备网络通过数千个不同的 IP 代理其流量
- 他们轮换用户代理字符串以确保它们永远不会相同(但仍然合理可信)
答案2
我们不可能解释互联网上某些几乎匿名的用户代理的动机。
可能是恶意行为者在用用户代理生成器自娱自乐。可能是对不同用户代理的服务器行为进行的某种程度上的无害调查。可能是 NAT,其背后是一组最奇怪的旧浏览器。
如果您介意的话,可以屏蔽 IP 或丢弃用户代理异常值。这是噪音。试图从中发现信号可能没有什么用。