host ip addr missing from access log

"Canonical Forms" <canonical.forms@xxxxxxxxx> · Fri, 2 Nov 2007 13:27:57 -0700

I am searching for an explanation as to how the access log could have
not recorded the host ip address if it is configured to record it. I
don't think that escape character sequences are playing a part here,
since viewing the log with the vi editor displays what is shown below.

Please see log snippet below. Notice that the ip address of the
previous host is recorded (as usual), but beginning with the 4th
record there is only :: where the ip should be. These log entries
recorded the beginning of a DOS attack on the server.

192.168.20.33 - - [04/Oct/2007:11:09:41 -0700] "GET / HTTP/1.1" 200
9066 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
192.168.20.33 - - [04/Oct/2007:11:09:41 -0700] "GET / HTTP/1.1" 200
9071 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
192.168.20.33 - - [04/Oct/2007:11:09:41 -0700] "GET / HTTP/1.1" 200
9070 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:42 -0700] "GET / HTTP/1.1" 200 9077 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:42 -0700] "GET / HTTP/1.1" 200 9065 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:43 -0700] "GET / HTTP/1.1" 200 9070 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:43 -0700] "GET / HTTP/1.1" 200 9107 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:43 -0700] "GET / HTTP/1.1" 200 9108 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:43 -0700] "GET / HTTP/1.1" 200 9108 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:44 -0700] "GET / HTTP/1.1" 200 9064 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:44 -0700] "GET / HTTP/1.1" 200 9064 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:44 -0700] "GET / HTTP/1.1" 200 9081 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"
:: - - [04/Oct/2007:11:09:44 -0700] "GET / HTTP/1.1" 200 9068 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)"

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx