[thelist] denial of service? or a badly written script?

[David Wagner]

noah wrote:

> In a matter of nineteen minutes tonight I got 1145 requests like this to a
> site I host:
>
> [Fri Apr  5 23:36:41 2002] [error] (63)File name too long: access to
> /tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/tools/main.css
 >
 > [snip]
>
> Anyone seen anything like this before?

I've seen exactly this situation before, on a client's site hosted on
our server. Oddly enough, the IP address turned out to be an Earthlink
dialup account.

Initially, I assumed a DoS, but after three of us squinted at the logs
for awhile, we decided it was a bad spider of some sort -- especially
when it turned up on a deeper page on a second, completely unrelated,
site. We even spent a little while trying to find problems with our code
(we were using Cold Fusion) or with the file architecture, but nothing
turned up.

I'd suggest blocking the IP address, which you've already done, and then
reporting it to the ISP for them to follow up on. It may be
unintentional, but it's certainly not harmless.

--

David Wagner
dave at worlddomination.net