9

My server was running on 100% CPU and looking at the Apache logs I saw hundreds of thousands of connections that looked like this:

10.190.45.31 - - [13/Mar/2014:15:29:02 +0000] "GET SOMETHING HTTP/1.1" 200 2261 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com GoogleImageProxy)"

The IP is that of my load balancer, which unfortunately I hadn't setup with logging, so I can't identify the true source of this requests.

Does anyone know what kind of traffic is this?

user967722
  • 257
  • 1
  • 4
  • 5
  • 1
    Hi, you have included the [tag:ddos] tag, mentioned 100% CPU usage and mentioned hundreds of thousands of log lines (which you call *connections*). I can't see any connection between those three things. I've answered your question but I suspect you *really* want to know why your server went down and what you can do to prevent it happening again. For that you probably need to know what was using the CPU. Did you run `top` while it was happening? Do you have a monitoring system such as Cacti, Nagios, munin, Observium, Zabbix, etc? – Ladadadada Mar 13 '14 at 17:49
  • Is the image requested a top result for any popular Google search term? I saw this as well and theorized Images was load testing my server before displaying the image as the #1 result for that term. – Lucent Sep 10 '18 at 17:49

1 Answers1

16

I see traffic like this too.

  • The IP addresses are always in the 66.249.64.0/19 range, which is owned by Google.
  • The User-Agents I see are always the same one you have there.
  • The URLs being requested are mostly images but sometimes not.
  • Most image URLs are requested multiple times. The top two most requested images (which, incidentally, we only include in emails our platform sends) were 2/3rds of the total requests.

I'm pretty sure it's related to the recent change they made to Gmail to automatically load images in emails but to do so through a proxy so the recipient couldn't be identified.

This blog post backs me up and includes the same User-Agent.

You could probably test this by sending yourself an HTML email to your Gmail address that included a tag like this (substituting your domain in for example.com of course):

<img src="http://example.com/this_probably_doesnt_exist.jpg">

If you see the same kind of hit from this User-Agent for that URL then I am right in my guess.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90