Re: What IP address is this log entry coming from? (Is "::" a valid IP address?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jeff Trawick wrote:

On Thu, Sep 2, 2010 at 5:40 PM, J. Greenlees <lists@xxxxxxxxxxxxxxxxxxx>wrote:


Jeff Trawick wrote:
~snip~

 %a is supposed to be an IP address, so what IP address is "::"? I'm only

somewhat familiar with IPv6 but I've never seen "::" before.


http://en.wikipedia.org/wiki/IPv6_address#Notation

One or any number of consecutive groups of zero value may be replaced
with two colons. [ ... ]

The localhost (loopback) address, 0:0:0:0:0:0:0:1, and the IPv6
unspecified address, 0:0:0:0:0:0:0:0, are reduced to ::1 and ::,
respectively.



and it is bogus to have the unspecified address as the client IP address


and if you check MS' RPC mechanism it uses 0.0.0.0 for the ip address to
glom onto ANY available ip address. That suggests that the client giving the
:: address is most likely a bot of some sort.
it could be a legitimate bot for an rpc mechanism, or it could be [ seems
more likely ] to be one meant to find an exploitable weakness.

or, the client could be using an anonymizer  service before getting to the
OPs site.

many reasons that it could be the ip unspecified address, only a few of
which are cause for concern to the server admin.



That is the source IP address, which is required for routing replies
(including those during the "connect" flow) back to the client, so I don't
see how this can be 0 simply because of something the client is doing (other
than triggering some sort of bug on the server side, of course).
scanning for an open proxy, the :: would grab the ip address and the proxy would then be in it's use to route content that may not be legitimately sent to the destination. or content that it is criminal to even possess. [ child porn jumps to mind for an example. ]
I suspect that the client is a bot doing a scan for an open proxy, one handing the :: out for that purpose. or, since it causes the 100% cpu load, it's the beginnings of a new ddos attack mechanism. we all may need to explicitly deny unspecified ip addresses from server access right quick. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux