Anatomy of a bad RSS reader
by Volker Weber
User enters his office at the University of Paderborn and switches on his computer at 9am. Fetches the RSS feed at 09:05:37 and reads two pages seven seconds later with his Firefox 1.5.0.1 browser. Twenty seconds later he reads another page. Less than two hours later he loads his robot and all hell breaks loose. He fetches the RSS feed 11,861 times in the next 42 minutes and 24 seconds.
131.234.xxx.xx - - [27/Feb/2006:10:49:17 +0100] "GET /index.rdf HTTP/1.1"
131.234.xxx.xx - - [27/Feb/2006:10:49:17 +0100] "GET /index.rdf HTTP/1.1"
131.234.xxx.xx - - [27/Feb/2006:10:49:17 +0100] "GET /index.rdf HTTP/1.1"
131.234.xxx.xx - - [27/Feb/2006:10:49:17 +0100] "GET /index.rdf HTTP/1.1"
131.234.xxx.xx - - [27/Feb/2006:10:49:17 +0100] "GET /index.rdf HTTP/1.1"
....
131.234.xxx.xx - - [27/Feb/2006:11:31:41 +0100] "GET /index.rdf HTTP/1.1"
131.234.xxx.xx - - [27/Feb/2006:11:31:41 +0100] "GET /index.rdf HTTP/1.1"
Then the storm ends. User reads three more pages throughout the day and shuts down his computer shortly after 5pm.
What a job. Nine to five. And I bet that at home he has DSL service from Arcor. His address is now blocked. If you are working at the University of Paderborn and someone tells you he cannot access my site, then you will know.
Is anybody betting against me if I say this is a Notes agent? :-)
Comments
Doesn't fit to a Notes agent description. Notes agents can't normally be scheduled to run in that fast sequence and they time out after a while (in case the get is in a non terminating loop). Even if it is a Java agent Notes tears down the agent jvm, so a thread wouldn't survive the timeout either.
Would be interesting to find the real culprit (code). Does the university know and takes action?
:-) stw
Even if the network officials on university level don't know, there is a fairly dense community at UPB who read vowe dot net, at least if it's among the faculty/staff (Students are harder to track down to an IP, since there IP adresses are more dynamic). So I guess there's going to be enough social correction :-).
Do you have access to the log containing the UserAgent strings? That may give you some insight into who/what is doing it.
Jan-Piet, of course I have. Where do you think this data is from? :-) And no, the UserAgent string does not contain any conclusive data. Just like I would expect from this agent.
As the first comment said, unlikely to be Notes at that polling frequency.
