Author: Victor Churchill Date: To: Hampshire LUG Discussion List Subject: [Hampshire] Strangeness in apache logs: many HEAD requests
I am seeing lots of occurences of the following kind of thing:
1. POST request running a script on the server
2. GET request for an image generated in response to (1)
3. many HEAD requests for other images generated in the past but
unrelated to this invocation of (1).
The HEADs come from different IP addresses all in the same /24 block
as the originating request; lots of them in the space of a few
seconds.
The original request comes from someone who looks like they are using
an AOL-provided browser.
There may be as many as 60+ of the HEAD requests for each GET.
I assume that :
1.this user has AOL as their ISP and their requests come through AOL
proxy servers (nslookup aaa.bbb.ccc.ddd confirm this)
2. AOL is kindly doing a load of HEAD reuests just in case the user
might be about to ask it to fetch some image that it has cached from a
previous query in the past.
Questions:
1. How much impact does this quantity of HEAD requests have on my
server? (Is there a way I can find out?)
2. Should I be concerned, and is there anything I can/could/should do
about it anyway? (possibly even just screening them out of my logs..)
%0A>%203.%20many%20HEAD%20requests%20for%20other%20images%20generated%20in%20the%20past%20but%0A>%20unrelated%20to%20this%20invocation%20of%20(1).%0A>%20%0A>%20The%20HEADs%20come%20from%20different%20IP%20addresses%20all%20in%20the%20same%20/24%20block%0A>%20as%20the%20originating%20request;%20lots%20of%20them%20in%20the%20space%20of%20a%20few%0A>%20seconds.%0A>%20%0A>%20The%20original%20request%20comes%20from%20someone%20who%20looks%20like%20they%20are%20using%0A>%20an%20AOL-provided%20browser.%0A>%20%0A>%20There%20may%20be%20as%20many%20as%2060+%20of%20the%20HEAD%20requests%20for%20each%20GET.%0A>%20%0A>%20Example%20(sanitized):%0A>%20%0A>%20aaa.bbb.ccc.67%20200%201235535%20%5B03/May/2007:18:40:47%20+0100%5D%20%22POST%0A>%20/script?CGISESSID=407558d0647970ef18b970d9f86e2332%20HTTP/1.1%22%0A>%20%22Mozilla/4.0%20(compatible;%20MSIE%206.0;%20AOL%209.0;%20Windows%20NT%205.1;%20SV1;%20.NET%0A>%20CLR%201.1.4322)%22%0A>%20aaa.bbb.ccc.70%20200%204306%20%5B03/May/2007:18:41:01%20+0100%5D%20%22GET%20img1.png%0A>%20HTTP/1.1%22%20%20%22Mozilla/4.0%20(compatible;%20MSIE%206.0;%20AOL%209.0;%20Windows%20NT%0A>%205.1;%20SV1;%20.NET%20CLR%201.1.4322)%22%0A>%20aaa.bbb.ccc.37%20200%20-%20%5B03/May/2007:18:41:36%20+0100%5D%20%22HEAD%20/img2.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.38%20200%20-%20%5B03/May/2007:18:41:36%20+0100%5D%20%22HEAD%20/img3.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.101%20200%20-%20%5B03/May/2007:18:41:36%20+0100%5D%20%22HEAD%20/img4.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.132%20200%20-%20%5B03/May/2007:18:41:36%20+0100%5D%20%22HEAD%20/img5.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.129%20200%20-%20%5B03/May/2007:18:41:36%20+0100%5D%20%22HEAD%20/img6.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.3%20200%20-%20%5B03/May/2007:18:41:36%20+0100%5D%20%22HEAD%20/img7.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.70%20200%20-%20%5B03/May/2007:18:41:36%20+0100%5D%20%22HEAD%20/img8.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.67%20200%201228026%20%5B03/May/2007:18:41:36%20+0100%5D%20%22POST%0A>%20/script?CGISESSID=407558d0647970ef18b970d9f86e2332%20HTTP/1.1%22%0A>%20%22Mozilla/4.0%20(compatible;%20MSIE%206.0;%20AOL%209.0;%20Windows%20NT%205.1;%20SV1;%20.NET%0A>%20CLR%201.1.4322)%22%0A>%20aaa.bbb.ccc.71%20200%204054%20%5B03/May/2007:18:41:49%20+0100%5D%20%22GET%20/img9.png%0A>%20HTTP/1.1%22%20%20%22Mozilla/4.0%20(compatible;%20MSIE%206.0;%20AOL%209.0;%20Windows%20NT%0A>%205.1;%20SV1;%20.NET%20CLR%201.1.4322)%22%0A>%20aaa.bbb.ccc.129%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img6.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.3%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img7.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.132%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img5.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.38%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img3.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.3%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img10.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.7%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img11.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.101%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img4.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.37%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img12.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.70%20200%20-%20%5B03/May/2007:18:42:54%20+0100%5D%20%22HEAD%20/img8.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.67%20200%201234508%20%5B03/May/2007:18:42:54%20+0100%5D%20%22POST%0A>%20/script?CGISESSID=407558d0647970ef18b970d9f86e2332%20HTTP/1.1%22%0A>%20%22Mozilla/4.0%20(compatible;%20MSIE%206.0;%20AOL%209.0;%20Windows%20NT%205.1;%20SV1;%20.NET%0A>%20CLR%201.1.4322)%22%0A>%20aaa.bbb.ccc.9%20200%205232%20%5B03/May/2007:18:43:09%20+0100%5D%20%22GET%20/img13.png%0A>%20HTTP/1.1%22%20%20%22Mozilla/4.0%20(compatible;%20MSIE%206.0;%20AOL%209.0;%20Windows%20NT%0A>%205.1;%20SV1;%20.NET%20CLR%201.1.4322)%22%0A>%20aaa.bbb.ccc.129%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img6.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.132%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img5.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.37%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img12.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.3%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img7.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.38%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img3.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.7%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img11.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.101%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img4.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.98%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img14.png%0A>%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.3%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img10.png%20HTTP/1.1%22%20%20%22-%22%0A>%20aaa.bbb.ccc.70%20200%20-%20%5B03/May/2007:18:43:44%20+0100%5D%20%22HEAD%20/img8.png%20HTTP/1.1%22%20%20%22-%22%0A>%20%0A>%20I%20assume%20that%20:%0A>%201.this%20user%20has%20AOL%20as%20their%20ISP%20and%20their%20requests%20come%20through%20AOL%0A>%20proxy%20servers%20(nslookup%20aaa.bbb.ccc.ddd%20confirm%20this)%0A>%202.%20AOL%20is%20kindly%20doing%20a%20load%20of%20HEAD%20reuests%20just%20in%20case%20the%20user%0A>%20might%20be%20about%20to%20ask%20it%20to%20fetch%20some%20image%20that%20it%20has%20cached%20from%20a%0A>%20previous%20query%20in%20the%20past.%0A>%20%0A>%20Questions:%0A>%201.%20How%20much%20impact%20does%20this%20quantity%20of%20HEAD%20requests%20have%20on%20my%0A>%20server?%20(Is%20there%20a%20way%20I%20can%20find%20out?)%0A>%202.%20Should%20I%20be%20concerned,%20and%20is%20there%20anything%20I%20can/could/should%20do%0A>%20about%20it%20anyway?%20(possibly%20even%20just%20screening%20them%20out%20of%20my%20logs..)%0A>%20%0A>%20cheers%0A>%20victor%0A>%20%0A>%20%0A>%20 "Reply to this message")
