Hello, government! – DragonFly BSD Digest

I noticed some slowness when reaching this server, this morning. Logging in, there was no heavy CPU or swap usage. Looking at netstat, I saw the reason: the Department of Homeland Security was poking around.

I had a ton of http connections from the Department of Homeland Security. Here’s a fragment:

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.4985 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5628 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6168 TIME_WAIT

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5551 TIME_WAIT

tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5783 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5319 TIME_WAIT

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5077 TIME_WAIT

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5636 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5130 TIME_WAIT

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6007 TIME_WAIT

tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.6546 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.6083 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.6397 FIN_WAIT_2

tcp4       0  12923 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.4972 CLOSING

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5273 TIME_WAIT

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5157 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6130 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.6171 FIN_WAIT_2

tcp4       0  26015 cpe-74-74-237-13.http bcp2.cbp.dhs.gov.5758 FIN_WAIT_1

tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5660 FIN_WAIT_2

tcp4       0      0 cpe-74-74-237-13.http bcp5.cbp.dhs.gov.5547 FIN_WAIT_2

Looking at my web server logs to see what was being retrieved, it appeared to mostly be this Digest: (again, a fragment)

63.167.255.152 - - [14/Jan/2010:08:52:20 -0500] "GET /dbsdlog/2004/09 HTTP/1.1" 200 66280 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2007/01 HTTP/1.1" 200 69492 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:51:29 -0500] "GET /dbsdlog/2008/03 HTTP/1.1" 200 71795 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:21 -0500] "GET /dbsdlog/2008/06 HTTP/1.1" 200 76529 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:17 -0500] "GET /dbsdlog/2007/05 HTTP/1.1" 200 72058 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2008/10 HTTP/1.1" 200 73876 "-" "Mozilla/4.0 (compatible;)"
63.167.255.155 - - [14/Jan/2010:08:51:52 -0500] "GET /dbsdlog/2004/02 HTTP/1.1" 200 66507 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:23 -0500] "GET /dbsdlog/2005/01 HTTP/1.1" 200 67146 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2006/02 HTTP/1.1" 200 70752 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:16 -0500] "GET /dbsdlog/2007/03 HTTP/1.1" 200 70718 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:53:12 -0500] "GET /dbsdlog/xmlrpc.php?rsd HTTP/1.1" 200 918 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:51:31 -0500] "GET /dbsdlog/2003/12 HTTP/1.1" 200 67549 "http://www.shiningsilence.com/dbsdlog/2010/01/13/5306.html?bcsi_scan_B185D4CBD207A2FC=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7"
63.167.255.152 - - [14/Jan/2010:08:52:22 -0500] "GET /dbsdlog/2005/09 HTTP/1.1" 200 67506 "-" "Mozilla/4.0 (compatible;)"
63.167.255.152 - - [14/Jan/2010:08:52:19 -0500] "GET /dbsdlog/2006/01 HTTP/1.1" 200 71474 "-" "Mozilla/4.0 (compatible;)"
63.167.255.155 - - [14/Jan/2010:08:52:43 -0500] "GET /dbsdlog/2005/05 HTTP/1.1" 200 67073 "-" "Mozilla/4.0 (compatible;)"
63.167.255.155 - - [14/Jan/2010:08:52:20 -0500] "GET /dbsdlog/2007/09 HTTP/1.1" 200 71813 "-" "Mozilla/4.0 (compatible;)"

The 63.167.255.* addresses resolve to dhs.gov addresses. It looks like a web spider, running through the archival links in the Digest. While these pages aren’t that bandwidth-intensive, my upload speed is relatively low, so having a whole bunch of network connections at once does have a noticeable effect.

Wierd. Spidering software hits this and other sites all the time, of course, though usually it’s something from Yahoo or Google. It is appropriate that a government-owned spider would be the most unsubtle in terms of network effects.

6 Replies to “Hello, government!”

Christian Sturm says:

2010/01/14 at 13:43

They are watching you :D
Anonymous says:

2010/01/15 at 06:14

Hmm, Border Command Post 2 of the US Customs and Border Patrol…
Anonymous says:

2010/01/15 at 06:21

s/Patrol/Protection/
Alex Libman says:

2010/01/15 at 07:27

Is it just me or does it seem like BSD people are a bit more libertarian than everyone else? Way to go!

Check out HomelandStupidity.US for more on our benevolent overlords at the HDS.
Petr Janda says:

2010/01/15 at 21:59

Maybe, but surely guys in the GPL camp are a bunch of commies dressed up as tree huggers!
Anonymous says:

2010/01/16 at 10:15

Must be those 1000 newly hired “Security Experts” at work :-)

Comments are closed.