> I tensed up as he began to tell me that the Chinese have been utilizing the Noisebridge TOR exit node
I don't know if there is anything sneaky going on in China to justify FBI interest, but I HAVE seen some pretty weird traffic from China. I wonder if anyone else here has noticed anything similar. Here's what I've been seeing.
The products we sell where I work that are available for download are only sold to US and European markets (we have nothing against the rest of the world--we just don't have the resources to support more regions or to handle payments from other regions). The product is not very useful if you do not have a subscription to the accompanying service.
The product is also not very well known (I doubt we are even in the top 100 in our market), and there aren't many links out their pointing to our download page.
So, when I check the logs of downloads, what I expect to see is mostly US addresses, and a few European addresses (most of our customers are in the US).
For downloads that complete in one HTTP requests, what I see is 69% from the US, 12% from China, 14% from the rest of the world, and 5% unknown. So already China is higher than I would expect.
It gets even weirder when I look at partial downloads. First of all, 3 times as many IP addresses hit our site in a given time period and do partial downloads than do complete downloads.
Of the IP addresses doing partial downloads, 85% are from China, 7% from the US, 6% from the rest of the world (and most of those are Asian countries), and 2% unknown. 92% of those Chinese IP addresses doing partial downloads do not download enough total data from all the requests from that IP address to have received the full download.
Overall, if I don't distinguish between partial and full downloads, and count an IP address has having downloaded if it has received a total number of bytes large enough to contain our file, what I have is this: 59% of the IP addresses are Chinese addresses that do not download enough, 20% are US that do download enough, 8% are Chinese that do download enough, 5% are from the rest of the world and download enough.
None of these things identify themselves as bots. They all identify as a normal looking mix of Windows and Mac browsers.
I've looked at a few of the Chinese addresses to see what is nearby, and many seem to be in class C blocks that belong to hosting providers, not end user ISPs, and when I've been able to find some host names mapping to those blocks, they have tended to be things like allshemales.net or dirtyracialporn.com (not sure I remembered the exact names--the general idea is right).
In contrast, when I do the same for a few randomly chosen US downloaders, I get blocks that seem to clearly be consumer ISP ranges they use for their customers.
Some of the access patterns are interesting. I saw one that would come, do two concurrent requests, get 60 KB, and go away for exactly 3600 seconds. It did this until it grabbed the whole download (or at least enough data for it to have the whole download). I might guess some kind of download manager, but I've never seen one that is so slow.
So, what the devil is going on? I can't even come up with a plausible sounding theory that would explain this much Chinese activity on our site, let along explain why so much of it is just partial downloads, and why it seems to be coming from sites at data centers (which I assume indicates some kind of commercial source). Anyone else seeing this kind of thing?
I have no reason to suspect anything sinister is going on. I just can't figure out any reason at ALL for this to be going on.
I hope I am wrong, but could it be that one of your download host has been compromised and it is been used for some sort of command-and-control server of a small botnet?
I don't know if there is anything sneaky going on in China to justify FBI interest, but I HAVE seen some pretty weird traffic from China. I wonder if anyone else here has noticed anything similar. Here's what I've been seeing.
The products we sell where I work that are available for download are only sold to US and European markets (we have nothing against the rest of the world--we just don't have the resources to support more regions or to handle payments from other regions). The product is not very useful if you do not have a subscription to the accompanying service.
The product is also not very well known (I doubt we are even in the top 100 in our market), and there aren't many links out their pointing to our download page.
So, when I check the logs of downloads, what I expect to see is mostly US addresses, and a few European addresses (most of our customers are in the US).
For downloads that complete in one HTTP requests, what I see is 69% from the US, 12% from China, 14% from the rest of the world, and 5% unknown. So already China is higher than I would expect.
It gets even weirder when I look at partial downloads. First of all, 3 times as many IP addresses hit our site in a given time period and do partial downloads than do complete downloads.
Of the IP addresses doing partial downloads, 85% are from China, 7% from the US, 6% from the rest of the world (and most of those are Asian countries), and 2% unknown. 92% of those Chinese IP addresses doing partial downloads do not download enough total data from all the requests from that IP address to have received the full download.
Overall, if I don't distinguish between partial and full downloads, and count an IP address has having downloaded if it has received a total number of bytes large enough to contain our file, what I have is this: 59% of the IP addresses are Chinese addresses that do not download enough, 20% are US that do download enough, 8% are Chinese that do download enough, 5% are from the rest of the world and download enough.
None of these things identify themselves as bots. They all identify as a normal looking mix of Windows and Mac browsers.
I've looked at a few of the Chinese addresses to see what is nearby, and many seem to be in class C blocks that belong to hosting providers, not end user ISPs, and when I've been able to find some host names mapping to those blocks, they have tended to be things like allshemales.net or dirtyracialporn.com (not sure I remembered the exact names--the general idea is right).
In contrast, when I do the same for a few randomly chosen US downloaders, I get blocks that seem to clearly be consumer ISP ranges they use for their customers.
Some of the access patterns are interesting. I saw one that would come, do two concurrent requests, get 60 KB, and go away for exactly 3600 seconds. It did this until it grabbed the whole download (or at least enough data for it to have the whole download). I might guess some kind of download manager, but I've never seen one that is so slow.
So, what the devil is going on? I can't even come up with a plausible sounding theory that would explain this much Chinese activity on our site, let along explain why so much of it is just partial downloads, and why it seems to be coming from sites at data centers (which I assume indicates some kind of commercial source). Anyone else seeing this kind of thing?
I have no reason to suspect anything sinister is going on. I just can't figure out any reason at ALL for this to be going on.