Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 06:35 am EST
Geeklog Forums
Possible Bad_Behavior problem
Status: offline
scarecrow
Forum User
Junior
Registered: 10/24/07
Posts: 33
I don't know if this is a plugin problem, a BB issue, or a common problem out in the wild. While playing with the BB plugin I see that there are quite a few legit users turned away, and as near as I can tell it's due to the "Connection" header line. The users that are being flagged have "Connection:keep-alive,close".Comparing this to the server logs, it would appear that "Connection:close" or "Connection:keep-alive" is acceptable, but not both values together. In one of the cases the remote computer is behind a Squid proxy, the others I don't know. Browser doesn't seem to play into it, MS I-Exploder, Firefox, Konqueror, Opera, and Galeon are all in the list with the same issue. The error the plugin displays is proxy related, so this may be proxy/firewall related, or at least something playing with the HTTP headers.
BB Log:
Header 'Connection' contains invalid values
GET /blog/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en,en-us;q=0.8,en-ie;q=0.5,en-ca;q=0.3
Cache-Control: no-cache, max-age=259200
Connection: keep-alive, close
BB Log:
Header 'Connection' contains invalid values
GET /blog/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en,en-us;q=0.8,en-ie;q=0.5,en-ca;q=0.3
Cache-Control: no-cache, max-age=259200
Connection: keep-alive, close
8
6
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
What makes you think those are legit users? The user agent (browser) name doesn't mean a thing, it's easy to fake.
Check the IP addresses of those requests. I would almost bet you'd see a lot of them coming from China, Russia and other areas well-known to host a lot of spammers ...
bye, Dirk
Check the IP addresses of those requests. I would almost bet you'd see a lot of them coming from China, Russia and other areas well-known to host a lot of spammers ...
bye, Dirk
5
7
Quote
Status: offline
scarecrow
Forum User
Junior
Registered: 10/24/07
Posts: 33
Quote by: Dirk
What makes you think those are legit users? The user agent (browser) name doesn't mean a thing, it's easy to fake.
Check the IP addresses of those requests. I would almost bet you'd see a lot of them coming from China, Russia and other areas well-known to host a lot of spammers ...
bye, Dirk
I don't think, I know. The site hasn't gone 'public', just a test bed for a client. The site gets it share of the script kiddies with their RFI's, but they are not amongst the users in question. There are just shy of 60 users that are associated with the client around the country that peruse the site regularly. All but a couple of the hits referenced are verifiably from these remote locations. It does appear that some Squid versions as well as some versions of Norton do send both 'keep-alive' and 'close' in the HTTP header. BB says that's a no-no, and quite possibly correctly... 'close and keep-alive are mutually exclusive'. However that may not be the opinion of the proxy and firewall folks. I worked with the admin at one of the sites today to modify Squid's behavior so it's no longer considered 'bad'. All this may be an isolated thing that just happened to appear chronic to us, but with all the Notons and Squids out there, I wouldn't be surprised if it's somewhat common.
Thanks for the reply, Dirk, and happy holidays!
6
5
Quote
All times are EST. The time is now 06:35 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content