The Phantom Internet
I have not had my home server running for a few years now; this page is archived content.
I receive a low enough rate of traffic on my home server that I get to pick up on some of the strange access patterns shown in the server log window. Some of it is plain dumb, like search engines continually trying to index content that has long since gone, and in need of instructing as to what “404” means. (I guess I need to offer hints to that effect in my error pages, like how Microsoft IIS does.)
But some of it is:
The most recent trend is towards a variety of machines with Direcway satellite broadband addresses accessing my Grim Reaper photograph; these are all the hits over the last week or so, which amount to nearly half the hits on that image:
08/17/06 06:10:46 OK dpc67142130040.direcpc.com. :site:GrimReaper.jpg 24576 08/17/06 22:51:26 OK dpc6682009080.direcpc.com. :site:GrimReaper.jpg 16384 08/18/06 01:16:24 OK dpc6682009080.direcpc.com. :site:GrimReaper.jpg 16384 08/18/06 17:23:55 OK b12webproxy04.direcpc.com. :site:GrimReaper.jpg 24576 08/20/06 09:29:29 OK dpc691914042.direcpc.com. :site:GrimReaper.jpg 8192 08/20/06 18:43:55 OK dpc67142130037.direcpc.com. :site:GrimReaper.jpg 16384 08/21/06 02:36:04 OK ac5-webproxy16.direcpc.com. :site:GrimReaper.jpg 24576 08/21/06 09:12:19 OK dpc67142130023.direcpc.com. :site:GrimReaper.jpg 16384 08/21/06 14:56:57 OK b12webproxy09.direcpc.com. :site:GrimReaper.jpg 8192 08/21/06 17:11:06 OK ac5-webproxy50.direcpc.com. :site:GrimReaper.jpg 16384 08/21/06 21:31:40 OK ac5-webproxy23.direcpc.com. :site:GrimReaper.jpg 16384 08/22/06 04:30:32 OK b12webproxy09.direcpc.com. :site:GrimReaper.jpg 24576 08/22/06 06:08:22 OK dpc67142130034.direcpc.com. :site:GrimReaper.jpg 8192 08/22/06 21:04:43 OK dpc67142130037.direcpc.com. :site:GrimReaper.jpg 24576
Now here is the strange part: the image is 129,985 bytes in size. None of these accesses are for the whole file. They are all for an exact number of packets; the server is transmitting 8 kilobyte packets. None of them were preceded by any other accesses to my server; they are all spontaneous. I do not have access to referrers with this server however. I know one single person with Direcway broadband but she would rather suffocate herself to death than nurture an obsession with a photograph of me.
The only reasons I know of for a partial transfer are:
- The connection dropped or was cancelled
- The user requested to save the target of a link on a lamer browser that grabs part of the file first and then throws it away, thus adding an unnecessary and misleading figure to site statistics
- The browser performed a conditional get (
If-Modified-Since), in which case the server may return
304 Not Modifiedand sends back no data at all (i.e. zero bytes)
I can name no reason for persistent, daily requests of tiny fragments of a file like this. None whatsoever.
A few years back, I picked up a strange host with a “twtelecom” address which was randomly accessing a few pages on Firetrack that had moved to this domain. Fair enough, someone must have bookmarked my site and not realised the pages had moved. Since they’d not realised that the pages were redirecting, I put up a big trout slap page for them to clarify that the pages were no longer at those addresses.
To my surprise, the hits – including the trout-slap page which no longer redirected – just kept on coming. And coming. Whoever – or really, whatever – it was, was not actually reading any of the responses from the server at all. In the end, my file system got toasted and the Mac was out for a week or more until I bought a new drive and reinstalled the system. Do you think the outage deterred this beggar?
The hits were coming in daily, every one a 404 now since I had not restored the redirects to my settings:
07/20/04 03:02:25 ERR! 66-194-6-75.gen.twtelecom.net. :site:sketches:death.html 706 07/20/04 13:59:48 ERR! 66-194-6-75.gen.twtelecom.net. :site:sketches:death.html 706 07/21/04 11:00:40 ERR! 66-194-6-73.gen.twtelecom.net. :site:Gorillas:index.html 680 07/21/04 13:34:12 ERR! 66-194-6-75.gen.twtelecom.net. :site:sketches:death.html 690 07/22/04 10:28:17 ERR! 66-194-6-73.gen.twtelecom.net. :site:Gorillas:index.html 680 07/22/04 13:21:55 ERR! 66-194-6-75.gen.twtelecom.net. :site:sketches:death.html 690 07/23/04 10:25:59 ERR! 66-194-6-73.gen.twtelecom.net. :site:Gorillas:index.html 680 07/23/04 12:54:10 ERR! 66-194-6-75.gen.twtelecom.net. :site:sketches:death.html 690
Notice the IP address rotation? What is this?
As time went by, they started hitting on the Google Mordor page too, and the site front page:
11/22/04 01:40:00 ERR! 66-194-6-74.gen.twtelecom.net. :site:Gorillas:index.html 682 11/22/04 12:04:51 OK 66-194-6-73.gen.twtelecom.net. :site:Google:index.html 588 11/22/04 16:03:51 OK 66-194-6-72.gen.twtelecom.net. :site:index.html 284 11/22/04 17:28:22 ERR! 66-194-6-76.gen.twtelecom.net. :site:sketches:death.html 692
I decided to simply block their IP address range:
01/22/06 11:59:47 PRIV 66-194-6-73.gen.twtelecom.net. :site:sketches:death.html 79 01/23/06 10:02:07 PRIV 66-194-6-71.gen.twtelecom.net. :site:index.html 79 01/23/06 10:52:27 PRIV 66-194-6-74.gen.twtelecom.net. :site:Google:index.html 79 01/23/06 10:52:27 PRIV 66-194-6-70.gen.twtelecom.net. :site:Google:index.html 79 01/23/06 13:25:58 PRIV 66-194-6-75.gen.twtelecom.net. :site:Gorillas:index.html 79 01/23/06 19:59:48 ERR! 66-194-6-67.gen.twtelecom.net. :site:sketches:death.html 758 01/24/06 18:10:33 PRIV 66-194-6-84.gen.twtelecom.net. :site:index.html 79 01/24/06 19:17:49 OK 66-194-6-68.gen.twtelecom.net. :site:Google:index.html 3101
It never worked. The two emphasised results show where the address range was wide enough to fall outside of my block, a fact which may have misled the server into thinking that it is still welcome. The addresses belong to Time Warner Telecom, I discovered, and I contacted them about it by e-mail; I was simply ignored.
These accesses continue to this day, persistently requesting data and then ignoring the results, day after day after day.
The other strange access pattern that stood out was how a proxy cache at my sister’s university would occasionally, randomly access my site’s stylesheet. Nothing else, just the stylesheet. And it was – and remains – the most uninteresting stylesheet ever.
- 10/20/05 23:38:59 ERR! kkk1.klannet.net. :site:cacti:graph_image.php 0
- 08/21/05 19:15:21 OK kvo-ma-gledash-che-ta-gledam-ne-vijdash-li-che-ta-vijdam.hfc.tvsatbg.net. :site:index.html 258
Emanuil Tolev from Bulgaria writes about the latter:
[the hostname] is a sentence in Bulgarian, translating into
"What are you doing looking at me looking at you - do you not see that I see you?".hfc.tvsatbg.net. (Weirdness of language preserved as much as possible.)
Also, tvsatbg.net is the website of a well-known Bulgarian cable television operator.