This page is an archive of my old blog. Please visit DavidTucker.net for my current blog.
This site is no longer being maintained and commenting is disabled.

Help – Someone’s AIR Application is Hitting My Server

Posted by David Tucker in AIRMay 19th, 2009 | 21 responses

I truly need your help. I believe that someone followed my AIR Tip on monitoring an AIR application’s Internet connection – and left my server name as the URL monitoring location. In addition, I believe this AIR application is set to check it’s connection every second. In addition, this AIR application has obviously been distributed to multiple people, as I have over 40 IP’s so far that are doing this. The only piece of identifying information that I have comes from the logs (the user-agent):

app:/OTBAir.swf” “Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/526.9+ (KHTML, like Gecko) AdobeAIR/1.5.1″

So the application is named OTBAir – or something like that. If you know of this AIR application, please let me know ASAP. I am not upset – as I think this probably was an honest mistake, however, I am having to spend a lot of extra time blocking IP’s to prevent my server from getting bogged down with the requests.

21 Responses to “Help – Someone’s AIR Application is Hitting My Server”

  1. Haha says:
    May 19, 2009 at 6:55 am

    Botnet attacks are so 2008, AIRnet attacks are 2009

  2. David Tucker says:
    May 19, 2009 at 6:58 am

    It obviously is not a coordinated attack – too weak for that. I believe it was just a mistake. This could just have easily been done with any native application or server shell script. AIR is not any more dangerous than any of these (in fact it is less).

  3. Tom Chiverton says:
    May 19, 2009 at 7:20 am

    I am fairly sure, if you are using Apache, that you could use SetEnfIf and mod_rewrite to dump all requests with that header, rather than trying to keep up with the IP address’.

  4. David Tucker says:
    May 19, 2009 at 7:27 am

    @Tom – True – the only problem with that is that it is still hitting Apache – and I am afraid it will still bog down my server. The advantage of iptables is that Apache doesn’t have to take any of the weight. Apache was maxing out on threads and memory before.

  5. TJ Downes says:
    May 19, 2009 at 7:54 am

    Hi David

    If all of the IPs hitting your servers are in the same subnet you can do a lookup on ARIN.net to determine who they are. Even if they are not on the same subnet, 40 IPs is not a lot to research.

    Once you have the IP info you can contact the IP provider to request that they contact the customer and put them in contact with you.

    The other thing you can do is simply block those IPs at the firewall. A bit of a harsh measure since the app is obviously not malicious.

  6. TJ Downes says:
    May 19, 2009 at 7:56 am

    My mistake, I see you have been blocking them at the firewall :D

  7. robmcm says:
    May 19, 2009 at 7:59 am

    Too late now, but always a good idea to use example.com for, well examples. No idea who hosts it, but at least it’s not your server :)

    Good luck in your search!

  8. Rob says:
    May 19, 2009 at 8:26 am

    You might want to search older logs to find when the App was in testing and development.

    That may give you a clue where the first hits came from.

    I searched google but havent come up with anything yet.

  9. David Tucker says:
    May 19, 2009 at 8:34 am

    @Rob – Thank you so much for your efforts!

  10. zwetan says:
    May 19, 2009 at 11:50 am

    use iptable TARPIT

    http://www.lowth.com/howto/iptables-treasures.php

    “To achieve this tar pit state, iptables accepts the incoming TCP/IP connection and then switches to a zero-byte window. This forces the attacker’s system to stop sending data, rather like the effect of pressing Ctrl-S on a terminal. Any attempts by the attacker to close the connection are ignored, so the connection remains active and typically times out after only 12–24 minutes. This consumes resources on the attacker’s system but not the Linux server or firewall running the tar pit. ”

    yes, it is evil ;)

  11. Rounding Up The Cannes Week says:
    May 25, 2009 at 8:00 am

    [...] AIR application is hitting David Tucker’s server after one of his readers took his AIR tip on monitoring an AIR application’s Internet connection [...]

  12. Avertedd says:
    May 25, 2009 at 11:10 pm

    Что ж… и такое мнение допустимо. Хотя, думаю, возможны и другие варианты, так что не огорчайтесь.

  13. RichardOn says:
    May 26, 2009 at 4:44 pm

    Interesting site, but much advertisments on him. Shall read as subscription, rss.

  14. Yorikk says:
    May 28, 2009 at 5:50 am

    Спасибо за пост. Позновательно.

  15. FokusLop says:
    May 29, 2009 at 5:59 pm

    Good article, Thanks. my name Philip.

  16. Ryan says:
    June 19, 2009 at 10:42 am

    I think you could use the string module and header data in your iptables to screw with the traffic, something like this:

    iptables -A FORWARD -i eth0 -p tcp –sport 80 \
    -m string –string ‘OTBAir’ -j TARPIT

    The benefit is that your loyal readers (who apparently like your site so much that they’re using it in their code) can still access the site – instead of just a straight IP block.

  17. Olegreze says:
    September 9, 2009 at 1:55 pm

    Основная задача Яндекса — давать ответы на вопросы пользователей!

  18. Седдор says:
    November 29, 2009 at 9:07 am

    Впечатлило, однако!

  19. Yadiel says:
    May 19, 2010 at 12:07 am

    You have a lot of guesses and suggestions,lucy

  20. vertu says:
    June 17, 2010 at 12:51 am

    интересный обзор. В своем блоге обязательно опубликую.

  21. Tokio says:
    August 28, 2010 at 5:07 am

    Хороший блог и понятный