Identical traffic

Question

I am running an application server and logging all requests for analysis purposes later. One interesting trend I noticed last night was, I had a visitor from Texas on FIOS share identical traffic with bluecoat in California.

What would cause the traffic to be identical? For every request the visitor made, bluecoat made one subsequently within milliseconds of his request. If it is caching, why would there be identical requests? Wouldn't it go through the cache / proxy on their end, and I would only see the proxied request?

I'm just curious, this is an interesting pattern that shows similarities of a DDoS attack, but with far fewer resources. Is it possible that the visitor had malware on their computer?

Any other ideas?

wouldn't say its a ddos attack I'd say its an information disclosure attack. — tony roth, Jun 08 '10 at 15:56
It is rare, but there are web-conference tools that allow you to synchronize web browsing between multiple parties. — Zoredache, Jun 08 '10 at 16:53

score 4 · Answer 1 · edited May 01 '11 at 06:46

4

This is most likely BlueCoat's "WebPulse" service.

When a user accesses a URL through a BlueCoat Proxy and BlueCoat doesn't have any information on that URL, it can be reported back to "WebPulse", which then scans the URL looking for malware, etc.

The first request will be the user accessing the URL, the second is WebPulse doing its scan on the same URL.

edited May 01 '11 at 06:46

pjmorse

1,550
1
17
34

answered Apr 30 '11 at 05:32

Scott Howard

41
2

+1 You can find some documentation at https://kb.bluecoat.com/index?page=content&id=KB3400 – pehrs May 01 '11 at 12:30

Hosm · Answer 2 · 2011-02-25T02:17:42.617

2

It might be due to various issues: 1 - An attacker is trying to confuse App. server caching using tunneled connections.

2 - A regular user is connecting through a mis-configured VPN+proxy which duplicates the traffic by sending a copy from each site.

3 - A S-NAT issue.

4 - or may be an issue with your own proxy (I don't know whther you have)

edited Feb 25 '11 at 02:17

answered Feb 25 '11 at 02:03

Hosm

53
1
9

score 1 · Answer 3 · answered Mar 03 '11 at 14:59

This sounds like a replay attack

Wikipedia:

A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

score 0 · Answer 4 · answered Jan 18 '11 at 19:21

0

They're using a web page sharing service, that allows people to 'surf together'.

answered Jan 18 '11 at 19:21

Essobi

901
6
9

score 0 · Answer 5 · answered Apr 30 '11 at 03:39

0

I'm not too familiar with BlueCoat, but they do offer caching and filtering services. They could be grabbing your content for that purpose.

answered Apr 30 '11 at 03:39

Xenoactive

26
1

Identical traffic

5 Answers5