
Ask HN: Why would a botnet access my server like that? - guillaumec
My website gets a lot of &#x27;traffic&#x27; from seemingly random ips, all requesting the same (broken) url.  It seems I have been targeted by a botnet, but I don&#x27;t understand the goal of those requests: they are clearly not trying to attack, and not fast enough to be a DDOS.<p>I get on average one of those requests every couple of seconds.  This has been going on for more than a year now.  Any idea what those are?<p>Here is an example from my log (ip and server name redacted):<p>xxx.xxx.xxx.xxx myserver.com - [13&#x2F;Sep&#x2F;2016:06:34:49 +0200] &quot;GET &#x2F;invalid HTTP&#x2F;1.1&quot; 403 345 &quot;-&quot; &quot;Mozilla&#x2F;5.0&quot;
xxx.xxx.xxx.xxx myserver.com - [13&#x2F;Sep&#x2F;2016:06:35:10 +0200] &quot;GET &#x2F;invalid HTTP&#x2F;1.1&quot; 403 345 &quot;-&quot; &quot;Mozilla&#x2F;5.0&quot;
======
finnn
some random requests from random IPs with fake user agents? Sounds more like
running a webserver on the public internet than being targeted...

~~~
guillaumec
That's my point. This is clearly not an attack, so why would a botnet bother
doing this?

~~~
finnn
Why do you think it's a botnet?

~~~
guillaumec
The fact that all the ips are different.

~~~
finnn
This feels more like some company has some device or program running from all
over the place, and for whatever reason got their DNS pointed at you. A botnet
is generally used in an attack, not just creating random spam. Personally, I
wouldn't worry about it. If you're really curious, I'd do two things:

First look at where the IPs geolocate to. Do most of them come from a
particular country or region? A particular ISP/AS? Maybe a particular type of
ISP (eg mobile carrier)? Further, you might look at when these requests are
made, how frequently they recur from the same IP, etc.

Second, do a packet capture and look at the full request. Maybe it'll have a
hostname or telltale header, etc.

