Posted 23 January 2009 - 07:23 AM
I'm not sure if this is the place for this, but as it's a security related issue, I hoped someone may have some ideas.
I've been using the 'whosonline' contrib for some time now, and as a result, i've noticed an interesting connection to my site.
Basically, the 'customer' behaves like a 'bot, working it's way through the pages of the site 24 x 7, it doesn't have a session ID, or appear to go anywhere it shouldn't, however it's a permanent visitor to the site, with it's online time counter only resetting every 24 hrs, so at the least, it's a resource hog.
-Now the weird part (to me at least!)
It's IP keeps changing! It cycles through various sets of IP's ranging from Yahoo bot to private/ISP/Google addresses. I have tried banning the IP addresses it uses, but it simply 'morphs' to a new one (I gave up after 50 addresses, as many were inside address pools used by ISPs, and I didn't wish to ban legitimate users)- the next weird part is that whosonline doesn't see this as a new visitor, it keeps the online time, and entry time counters and updates the IP address.
Obviously there's some sort of spoofing going on here, the question is, how to stop it! - it only makes a database query every 30-40 seconds, so it's not tripping any DOS alarms on the server/firewall.
Has anyone else seen anything similar, or have any ideas about what this could be (and how to stop it)???