Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.sys.acorn.networking > #5166

Re: Go-http-client

From Martin <News03@avisoft.f9.co.uk>
Subject Re: Go-http-client
Newsgroups comp.sys.acorn.networking
Date 2024-01-31 16:56 +0000
Message-ID <5b2b71bd0dNews03@avisoft.f9.co.uk> (permalink)
References <5b2b4df63fNews03@avisoft.f9.co.uk> <kGr*WKPBz@news.chiark.greenend.org.uk>
Organization None

Show all headers | View raw

In article <kGr*WKPBz@news.chiark.greenend.org.uk>,
   Theo <theom+news@chiark.greenend.org.uk> wrote:
> Martin <News03@avisoft.f9.co.uk> wrote:
> > In the last couple of days my website has had an increase in
> > traffic, from about 30 different IP addresses, all with a
> > User-Agent of "Go-http-client/1.1".
> > 
> > Each starts with a "GET / HTTP/1.1" request, with various
> > User-Agents, including Windows, Linux & MaxOS. If that works (as
> > it will) it then issues GETs for about 30 varied files, then
> > stops. 
> > 
> > It seems that Go-http-client is a package which "provides HTTP
> > client and server implementations" but it is suddenly being used
> > by lots of IPs in a suspicious way.
> > 
> > Anyone else seen this?

> Looking at the riscos.info logs, there's a variety of entries
> matching that. Since the start of December there have been 1632
> requests. 

I have had over 800 in the previous 2 days.

> Some examples (I have redacted part of the IPs, but
> they're all with completely different prefixes):

> Testing if the site will proxy for another:

Not seen any like that.

> Testing for vulnerable pages:

Or that!

> A legit access followed by some probing:

All mine have been to existing pages or files - all returned with
status 200.

> The ownership of some of those prefixes is:

Mine seemed to be allocated to Asia Pacific (APNIC). 
Difficult these days to get more precise information. 

> They appear to just be probing for vulnerable sites.  I don't think
> anything you do will affect the rate, they are just picking targets
> at random.  I'd guess it's just coming from a malware toolkit of
> some kind that happens to be programmed in Go, possibly running
> through a botnet.

Probably - Googling 'botnet using go-http-client' gives lots of hits!

> I doubt any kind of IP filtering is going to work.  So it boils
> down to hot they're bothering you - filling up the log (something
> that's been happening to riscos.info a few times of late), eating
> your bandwidth or CPU. 

They are certainly vastly increasing my bandwidth usage, though I have
not quantified it.

> There are too many IPs to block in firewall rules.  You could block
> accesses from Go-http-client, but I think it would still log as
> blocked.  Mostly from the above they aren't actually interacting
> with real content on the site so the CPU is not doing much serving
> real pages, and the 302/404 traffic is minimal (~300 bytes per
> request).  Maybe some kind of adaptive firewalling/rate limiting,
> but that would probably block genuine traffic.

MIne are downloading real files (including zips) with status 200.

> Unless you have scripts on your site that are actually vulnerable
> (in which case you should fix them) I'm not sure there's much to be
> done.  

No scripts here. Just plain HTML. 

> If you provide a site on the internet, people (or bots) on
> the internet connect to it.  That's the deal.

Yes, indeed. I will just keep an eye open for the moment.

Thanks
Martin

-- 
Martin Avison 
Note that unfortunately this email address will become invalid
without notice if (when) any spam is received.

Back to comp.sys.acorn.networking | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Go-http-client Martin <News03@avisoft.f9.co.uk> - 2024-01-31 10:25 +0000
  Re: Go-http-client Chris Hughes <news13@noonehere.co.uk> - 2024-01-31 11:47 +0000
    Re: Go-http-client Martin <News03@avisoft.f9.co.uk> - 2024-01-31 12:27 +0000
      Re: Go-http-client Chris Hughes <news13@noonehere.co.uk> - 2024-01-31 12:59 +0000
        Re: Go-http-client Martin <News03@avisoft.f9.co.uk> - 2024-01-31 13:11 +0000
  Re: Go-http-client Theo <theom+news@chiark.greenend.org.uk> - 2024-01-31 15:18 +0000
    Re: Go-http-client Martin <News03@avisoft.f9.co.uk> - 2024-01-31 16:56 +0000
      Re: Go-http-client Theo <theom+news@chiark.greenend.org.uk> - 2024-01-31 18:32 +0000
  Re: Go-http-client Martin <News03@avisoft.f9.co.uk> - 2024-02-22 09:53 +0000
    Re: Go-http-client "Richard Torrens (News)" <News+19772@Torrens.org> - 2024-02-23 10:15 +0000
      Re: Go-http-client Martin <News03@avisoft.f9.co.uk> - 2024-02-23 11:56 +0000

csiph-web