Requests to domain using wrong domain name

Question

I`m getting strange requests to my domain using different domain host header -> as.eu.angsrvr.com . The requests are coming from all different ip addresses, different os, different browsers and seems to be made by real users. And the referrer are different for request, like for example

http://emilyaclark.com/ http://phimmoi.net/ http://fool.com/

etc.. there really a lot Some of them are application/x-shockwave-flash . ~1500req/hour. Its pretty consistent.

46.66% requests to http://as.eu.angsrvr.com/select

53.34% requests to http://as.eu.angsrvr.com/crossdomain.xml

How this request are happening? It seems to be some ad network, but how it make people to hit my domain using wrong domain name?

I checked how as.eu.angsrvr.com resolve using dns

as.eu.angsrvr.com
Server:  UnKnown
Address:  192.168.0.1

Non-authoritative answer:
Name:    lb-adselect-1417292246.eu-west-1.elb.amazonaws.com
Addresses:  52.19.172.131
          52.30.76.130
          52.30.149.251
          54.72.96.237
          54.77.95.108
          52.17.118.157
          52.17.229.14
          52.17.241.192

And none of this ip are point to my server. My ip are 52.204.51.49, 52.1.237.57 Im using amazon elb and this site seems to be using elb too. Not sure if it relevant or not.

I know i can block them on nginx level, but i want to figure out how they are happening at all and who to contact to stop this..

Answer 1

Looks like you have a new server, and it's IP earlier belonged to as.eu.angsrvr.com. The reason why you still receiving those requests is that either the visitors have the IP cached in their DNS (usually it should expire in less than two days) or the IP is hard-coded in configs (good lesson how NOT to do configs)

Another reason is admin at angsrvr.com mistyped when configured their DNS.

Solution: ask your hosting provider to change the server's IP or contact angsrvr.com support (see 'whois')

Answer 2

I know i can block them on nginx level

You should do that. In fact, you should have already been doing that in your own interests -- nginx or any front-side service with the capability, should be configured to throw back errors (503, 502, pick your poison) on any unexpected host header coming in.

Since the domain in question does not seem to be misconfigured, it is likely that this is a browser DNS caching issue, and your ELB now has a public address formerly associated with this site. Browsers are terrible about holding on to resolved addresses until all windows are closed, DNS TTL be darned.

Note that there are at least 8 IP addresses for the other site's ELB. This is apparently a site that is handling a significant volume of traffic. 8 IP addresses suggests an ELB that has scaled itself up to at least 4 times the baseline capacity you'd see for a site deployed across 2 availability zones. You're seeing a tiny amount of fallout, relatively speaking...

who to contact to stop this

1500 requests per hour is probably not worth worrying about. It should go away on its own.

Of course, you could clone your ELB, move your site's DNS to the new one, then turn off the old one once everything drains -- that would give you new public IP addresses. AWS support might be able to force your ELB to reconfigure itself different public IPs on the outside.

But running servers on the Internet is inherently messy and this is a case where there really doesn't appear to be anything to "fix" at this point. The behavior could be eliminated, as discussed above, but since it does not appear to be malicious and can reasonably be expected to clear up on its own... is it worth the trouble?