Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

    • Archives

    • Recent comments

    Archive for November 6th, 2010

    Blatant dewlance.com SEO, thrustvps, and HEAD attacks

    6th November 2010

    Update 4: there are claims that these HEAD-attacks were coming from a malicious dewlance.com customer, and have nothing to do with dewlance itself.

    Noticing weird narrow spikes in server load graph, I decided to investigate the most recent one – at 03:50 GMT+2 on Nov. 6, 2010.

    The reason was simple: someone issued a few hundred HEAD-requests over a 30 second period to a PHP-based web-application.

    All the requests were coming from IP 109.169.59.139, which belongs to the IP range of thrustvps.com:

    inetnum: 109.169.58.0 – 109.169.59.255
    netname: ThrustVPS_1
    descr: Thrust::VPS
    country: US
    admin-c: RF5058-RIPE
    tech-c: RF5058-RIPE
    status: ASSIGNED PA
    mnt-by: RAPIDSWITCH-MNT

    However, it is the referrer string which is more interesting: in all those requests, decorated with varying UserAgents and even operating systems, there was only one referrer – www.dewlance.com.

    Initially I thought that was a test of a new DoS attack – really, who would issue dozens of HEAD requests to the same page over a few seconds? However, after seeing that “referrer” string, I now think this is a cheap, blatant, poor and ugly SEO performed by dewlance. It relies on some sites displaying a box of ‘recent visitors’, sometimes including their referrer URL as a “page where this visitor came from” – this would give dewlance.com some free link-love. Or maybe dewlance.com expects administrators to investigate log files, notice that referrer string, and happily order some services from dewlance? No way :)

    I’ll file a complaint with thrustvps if I see that kind of misbehaviour again. All that started on Nov. 4, so there’s still hope people behind this dumb SEO implementation will get fired.

    Update 1: they do this every 4 hours since November 4, 2010 (Thursday). This results in loads up to 22, with ~50 apache processes struggling for a few CPU cores:
    Read the rest of this entry »

    Share

    Posted in Misc, Web | 8 Comments »