Hello, government!


I noticed some slowness when reaching this server, this morning.  Logging in, there was no heavy CPU or swap usage.   Looking at netstat, I saw the reason: the Department of Homeland Security was poking around.

I had a ton of http connections from the Department of Homeland Security.  Here’s a fragment:

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.4985 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5628 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6168 TIME_WAIT
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5551 TIME_WAIT
tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5783 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5319 TIME_WAIT
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5077 TIME_WAIT
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5636 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5130 TIME_WAIT
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6007 TIME_WAIT
tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.6546 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.6083 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.6397 FIN_WAIT_2
tcp4       0  12923 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.4972 CLOSING
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5273 TIME_WAIT
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5157 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6130 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6171 FIN_WAIT_2
tcp4       0  26015 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5758 FIN_WAIT_1
tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5660 FIN_WAIT_2
tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5547 FIN_WAIT_2

Looking at my web server logs to see what was being retrieved, it appeared to mostly be this Digest: (again, a fragment)

63.167.255.152 - - [14/Jan/2010:08:52:20 -0500] "GET /dbsdlog/2004/09 HTTP/1.1" 200 66280 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2007/01 HTTP/1.1" 200 69492 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:51:29 -0500] "GET /dbsdlog/2008/03 HTTP/1.1" 200 71795 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:21 -0500] "GET /dbsdlog/2008/06 HTTP/1.1" 200 76529 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:17 -0500] "GET /dbsdlog/2007/05 HTTP/1.1" 200 72058 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2008/10 HTTP/1.1" 200 73876 "-" "Mozilla/4.0 (compatible;)"
63.167.255.155 - - [14/Jan/2010:08:51:52 -0500] "GET /dbsdlog/2004/02 HTTP/1.1" 200 66507 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:23 -0500] "GET /dbsdlog/2005/01 HTTP/1.1" 200 67146 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2006/02 HTTP/1.1" 200 70752 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:16 -0500] "GET /dbsdlog/2007/03 HTTP/1.1" 200 70718 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:53:12 -0500] "GET /dbsdlog/xmlrpc.php?rsd HTTP/1.1" 200 918 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:51:31 -0500] "GET /dbsdlog/2003/12 HTTP/1.1" 200 67549 "http://www.shiningsilence.com/dbsdlog/2010/01/13/5306.html?bcsi_scan_B185D4CBD207A2FC=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7"
63.167.255.152 - - [14/Jan/2010:08:52:22 -0500] "GET /dbsdlog/2005/09 HTTP/1.1" 200 67506 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2006/01 HTTP/1.1" 200 71474 "-" "Mozilla/4.0 (compatible;)"
63.167.255.155 - - [14/Jan/2010:08:52:43 -0500] "GET /dbsdlog/2005/05 HTTP/1.1" 200 67073 "-" "Mozilla/4.0 (compatible;)"
63.167.255.155 - - [14/Jan/2010:08:52:20 -0500] "GET /dbsdlog/2007/09 HTTP/1.1" 200 71813 "-" "Mozilla/4.0 (compatible;)"

The 63.167.255.* addresses resolve to dhs.gov addresses.  It looks like a web spider,  running through the archival links in the Digest.  While these pages aren’t that bandwidth-intensive, my upload speed is relatively low, so having a whole bunch of network connections at once does have a noticeable effect.

Wierd.  Spidering software hits this and other sites all the time, of course, though usually it’s something from Yahoo or Google.  It is appropriate that a government-owned spider would be the most unsubtle in terms of network effects.

Posted by     Categories: About This Site     6 Comments
6 Comments on Hello, government!

Respond | Trackback

  1. They are watching you :D

  2. Anonymous says:

    Hmm, Border Command Post 2 of the US Customs and Border Patrol…

  3. Anonymous says:

    s/Patrol/Protection/

  4. Alex Libman says:

    Is it just me or does it seem like BSD people are a bit more libertarian than everyone else? Way to go!

    Check out HomelandStupidity.US for more on our benevolent overlords at the HDS.

  5. Petr Janda says:

    Maybe, but surely guys in the GPL camp are a bunch of commies dressed up as tree huggers!

  6. Anonymous says:

    Must be those 1000 newly hired “Security Experts” at work :-)

Respond

Comments

Comments