Security
機器人在“GET / HTTP/1.1”時欺騙各種古老的使用者代理有什麼意義?
我在我的 apache 日誌中發現了以下有趣的流量:
213.159.213.236 - - [16/Dec/2019:03:02:03 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)" 213.159.213.236 - - [16/Dec/2019:03:02:19 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)" 213.159.213.236 - - [16/Dec/2019:03:02:25 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" 213.159.213.236 - - [16/Dec/2019:03:02:40 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 213.159.213.236 - - [16/Dec/2019:03:02:48 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]" 213.159.213.236 - - [16/Dec/2019:03:03:06 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8" 213.159.213.236 - - [16/Dec/2019:03:04:22 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)" 213.159.213.236 - - [16/Dec/2019:03:04:36 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" 213.159.213.236 - - [16/Dec/2019:03:04:51 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9" 213.159.213.236 - - [16/Dec/2019:03:05:06 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" 213.159.213.236 - - [16/Dec/2019:03:05:26 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246" 213.159.213.236 - - [16/Dec/2019:03:05:37 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" 213.159.213.236 - - [16/Dec/2019:03:07:23 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]" 213.159.213.236 - - [16/Dec/2019:03:07:37 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]" 213.159.213.236 - - [16/Dec/2019:03:07:57 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36" 213.159.213.236 - - [16/Dec/2019:03:08:07 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 213.159.213.236 - - [16/Dec/2019:03:08:22 -0500] "GET / HTTP/1.1" 200 3797 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01" 213.159.213.236 - - [16/Dec/2019:03:08:26 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 213.159.213.236 - - [16/Dec/2019:03:09:13 -0500] "GET / HTTP/1.1" 200 3797 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01" 213.159.213.236 - - [16/Dec/2019:03:09:24 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" 213.159.213.236 - - [16/Dec/2019:03:09:35 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"這有什麼意義?這個攻擊者試圖通過假裝從 2003 年開始執行 Bork 版本的 Opera,或者仍然在 Ubuntu 10.04 上使用 Firefox 3.6 來實現什麼?是否只是在毒害我可能對訪問者擁有的任何網站統計資訊?如果是這樣,那麼欺騙更有可能的使用者代理(例如 IE 8.0…)是否有意義?
我希望你有任何見解。
在處理惡意流量來源時,系統管理員可以通過兩個現成的指標來禁止某人:
- IP地址
- 使用者代理字元串
通常,規則是“
if $IP = x.x.x.x AND $USER_AGENT = yyy then return 403 and exit”。因此,惡意掃描程序會嘗試確保它們的 IP 和它們的使用者代理在請求之間是不同的:
- 他們使用殭屍設備的分佈式網路通過數千個不同的 IP 代理他們的流量
- 他們輪換使用者代理字元串以確保它們永遠不會相同(但仍然合理可信)