DOS attempt? What is this?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Beginning at 13:50 CEST yesterday, hundreds of almost identical
entries started appearing in my apache log: - - [04/Oct/2008:13:50:32
+0200] "GET /stestu.html HTTP/1.1" 200 118012
" ;_ylu=X3oDMTBz
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

(all on one line). This was repeated approx. every two and a half
minutes, each time with a different value of SIG and EXP. Just
before midnight last night, the remote address changed to (; there was
no interruption in the two-and-a-half minute pattern. When I
discovered what was happening (about 12:00 CEST today) I blocked
the entire range belonging to by
making a shorewall rule.

Strangely, apache served the html page itself successfully (code
200), but the pictures belonging to the page were not requested
(although this normally does happen when a graphical browser like
MSIE 6.0 is used).

Is this some kind of DOS attempt? But why would someone try to
block my totally innocuous web page
I also don't know what this is supposed to do. I
normally don't use yahoo, but just tried to search for my own page
using it, and it didn't produce these log entries with
in them.

Regards, Jan

Re: DOS attempt? What is this?

Quoted text here. Click to load it

I really don't think hits at 2.5 minute intervals pose a very high
risk of a DOS attack.

The referer doesn't seem to like being accessed directly - but it
looks more like a software bug on the yahoo site or bad interaction
with a spider.


Re: DOS attempt? What is this?

C. wrote:

Quoted text here. Click to load it

That's what I thought too. It seemed so pointless. A bug in
Yahoo's "instant search" is the most likely cause. I unblocked today; the weird http requests did not return.

Thanks, Jan

Re: DOS attempt? What is this?

Quoted text here. Click to load it

I forget the exact versions of which browsers do it. I only remember it
because I saw it in my webserver's logs and wondered what it was. When I
asked the guy, he said that's what it was.

Re: DOS attempt? What is this?

jayjwa wrote:

Quoted text here. Click to load it
Hmm.. whenever I unblock this range, the guy always comes back. In
the same monotonous 2~2.5 minute rhythm. Always with an IP address
belonging to Strange.

Site Timeline