Mysterious ABE requests on my server?!

[Fritz Elfert]

Hi all,
I'm running an apache web server which has mod_security enabled. In the security logs, I recently noticed
recurring requests which get denied (using a 400) by mod_security and which (according to the UA in the header)
appear to come from hosts running some ABE feature. Here is a sample Request:

Code: Select all

GET / HTTP/1.0
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
Pragma: no-cache
Cache-Control: no-cache, max-age=259200
Connection: keep-alive

Noticeable anomalies are:

• The IP in the Host header is usually identical to the request's origin e.g: NOT my server's IP.
• Requests don't contain an Accept header.
• The requests appear to increase at every full hour.

So, here are my question:
Are these really from ABE?
If yes - assuming some ABE thingy running wild - Can I fabricate some reply which stops them quering my server?

Thanks in advance for any hints.
-Fritz

[Fritz Elfert]

Anyone?

[dhouwn]

Are these really from ABE?

Yes.

Code: Select all

User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)

See http://noscript.net/abe/wan.

If yes - assuming some ABE thingy running wild - Can I fabricate some reply which stops them quering my server?

You might want to deactivate this functionality since apparently in your case it is not a router interface replying when you access your external IP on port 80. This is what this feature is meant to protect.