Information about misusage of ip.bieringer.de

Issue

Since longer time (approx. over 2 years now) ip.bieringer.de is misused on port 8080 in a continous way by a Java software from various IP addresses:
GET / HTTP/1.1
Host: ip.bieringer.de:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)
Accept-Encoding: gzip,deflate
or
GET / HTTP/1.1
Host: 127.0.0.1:[various-ports, mostly in range of 1200...1500]
User-Agent: Java/1.8.0_10
Log entries (after blocking User-Agent "Java") like
103.125.189.140 - - [14/Nov/2020:16:35:35 +0100] "GET / HTTP/1.1" 403 209 "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_102)" 8080 "ip.bieringer.de:8080" "-" 155 375 "-/-/-/-"
1.1.236.51 - - [01/Sep/2021:01:19:03 +0200] "GET / HTTP/1.1" 403 199 "-" "Java/1.8.0_102" 8080 "127.0.0.1:1339" "-" 154 365 "-/-/-/-"

Further Analysis

Probing Attack Sequence

Probing

It looks like that the request with User-Agent and Host-Header
Host: ip.bieringer.de:8080
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)
is somehow the controller probe from particular IP addresses

Attacking

If probing request is successful, huge amount of requests from IP addresses all over the world will start with User-Agent and Host-Header
User-Agent: Java/1.8.0_10
Host: 127.0.0.1:[various-ports, mostly in range of 1200...1500]
User-Agent: Java/1.8.0_10

Client Analysis

Client OS indicators

After blocking several IPv4 ranges of some countries it turns out that clients suddenly start using 6to4 IPv6 addresses like
2002:67cf:26c5::67cf:26c5
This 6to4 address is an indication, that the client operating system is Microsoft Windows, because this stores the encoded IPv4 address also into Interface-ID.

Client connection indicators

Mitigations

Several workarounds did not stop that misusage like: Following step reduced the misusage a lot

Workaround

In case of any issues with blocked DNS resolution replace in your browser: ip.bieringer.de -> ip.bieringer.net

Note

If I detected that one change the FQDN to "ip.bieringer.net" then I will get really angry and close down the service!

Request of help

If one has any hint about the root cause, please contact me - thank you very much!
I'm also able to handout related log entries for further statistics or drill-down!
2021-10-21, webmaster at bieringer dot de


Your connection is via: IPv4
Your address: 54.198.139.112
www.bieringer.de
is maintained by
webmaster at bieringer dot de
(Impressum)
powered by Apache HTTP server powered by Linux