Same user agent but many different IP's

Forum Moderators: phranque

Message Too Old, No Replies

Same user agent but many different IP's

Wmff

7:27 am on Oct 23, 2024 (gmt 0)

What's going on here? Different IP addresses, different ISP, different cities and states all requesting the same web page. The only thing in common is the user agent and they happened to all be within the US.

Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.8824.1458 Mobile Safari/537.36

This also happened several months ago but all of those were from Canada.

lucy24

3:52 pm on Oct 23, 2024 (gmt 0)

In a word: botnet.

Wmff

5:16 pm on Oct 23, 2024 (gmt 0)

When I said that all of the IP's were requesting the same page, what I meant, should have said, was that each IP was requesting an element of the same page. In other words, the multiple IP hits were behaving like a normal, non-malicious visitor with a single IP, that was opening a page from my site. Does that change your answer? Because my first guess was that this was some kind of proxy meant to disguise or hide the the visitor's ID.

not2easy

5:22 pm on Oct 23, 2024 (gmt 0)

That is pretty much what you'd see with a botnet. It can be one bot on a programmed chain of compromised computers, hence the different IPs. You can do WHOIS lookups to check, but it is likely the IPs resolve to commercial ISPs. There are variations on the methods, but that is a common setup.

Wmff

5:30 pm on Oct 23, 2024 (gmt 0)

Thanks lucy24 and not2easy. Would it do any good to block the user agent?

not2easy

7:40 pm on Oct 23, 2024 (gmt 0)

You can search through your logs and see how common that UA is and whether it might block users who are not swapping IPs for each resource.

lucy24

8:46 pm on Oct 23, 2024 (gmt 0)

Would it do any good to block the user agent?

To expand on not2easy's answer: Start by checking some small part of the UA, like �Chrome/114�. If this turns up recent humans as well, expand to a larger chunk of the UA, ending up with the whole thing. I have an environmental variable called botnet_agent that matches a short list of humanoid UAs, which I check every few months to see if they�re still active. (If you�re on shared hosting, using htaccess-or-equivalent, you don�t want to put the server to too much work. If it�s your own server, with a config file that�s read at startup, it is less of an burden, though still non-zero.)

Wmff

9:09 pm on Oct 23, 2024 (gmt 0)

I did do a search of past logs going back about 3 months. "Linux; Android 5.0; SM-G900P Build/LRX21T" was found to be very common and showed up in several regular (single IP address) visitors. If I searched for the entire string - "Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.8824.1458 Mobile Safari/537.36", I did not find any matches. I also did not find any matches for "Chrome/44.0.8824.1458 Mobile Safari/537.36".

Wmff

9:16 pm on Oct 23, 2024 (gmt 0)

"you don�t want to put the server to too much work"
Does "too much work" cause pages to load slower? Are we talking adding seconds, 1/10's of a second, or just milliseconds? Yes, I have shared hosting.

lucy24

10:58 pm on Oct 23, 2024 (gmt 0)

More like nanoseconds, but across a whole server they do add up.

Did you say Chrome/44 (forty-four) ? ! That can absolutely be safely blocked; I currently block everything up to Chrome/69, with a hole poked for (YMMV) Google-Read-Aloud.