Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NANOG>
  3. users
Traffic being directed at random infrastructure with pornhub.com host header (?)
drew.weaver at thenap
Sep 13, 2023, 6:35 AM
Post #1 of 3 (102 views)
Permalink
Has anyone else recently seen a spike of port 80 traffic being sent at seemingly random IP addresses that include the Pornhub host header?

0: 000C3170 A440000F 35F95000 08004500 ..1p$@..5yP...E<mailto:..1p$@..5yP...E>.
16: 004D0997 4000F006 F8D59DF5 7C90CFB6 .M..@.p.xU.u|.O6<mailto:.M..@.p.xU.u|.O6>
32: 9E010050 00500000 67D50000 000B5002 ...P.P..gU....P.
48: FFFF6559 00004745 54202F20 48545450 ..eY..GET / HTTP
64: 2F312E31 0D0A486F 73743A20 706F726E /1.1..Host: porn
80: 6875622E 636F6D0D 0A0D0A00 hub.com.....

Just thought it was quirky and was wondering if anyone else had seen it. This particular payload was directed at a Cisco router.

Offlist is fine if needed.
-Drew
Re: Traffic being directed at random infrastructure with pornhub.com host header (?) [ In reply to ]
jtk at dataplane
Sep 13, 2023, 7:28 AM
Post #2 of 3 (102 views)
Permalink
On Wed, 13 Sep 2023 13:35:30 +0000
Drew Weaver <drew.weaver@thenap.com> wrote:

> Has anyone else recently seen a spike of port 80 traffic being sent
> at seemingly random IP addresses that include the Pornhub host header?

Yes. The source possible, hopefully being research or commercial
scanners perhaps? I've seen a host from a US midwest EDU source
doing this. User agent string in that case was "Mozilla/5.0 quack/1.x"

It may be some sort of censorship measurement or perhaps even something
like this type of work:

<https://www.usenix.org/conference/usenixsecurity21/presentation/bock>

John
Re: Traffic being directed at random infrastructure with pornhub.com host header (?) [ In reply to ]
nanog at nanog
Sep 13, 2023, 4:08 PM
Post #3 of 3 (102 views)
Permalink
On Sep 13, 2023, at 20:38, Drew Weaver <drew.weaver@thenap.com> wrote:
Has anyone else recently seen a spike of port 80 traffic being sent at seemingly random IP addresses that include the Pornhub host header?

It may be related to this:

<https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship>
[what-is-a-reflection-amplification-ddos-attack-blog-header_1600x900.jpg]
HTTP Reflection/Amplification via Abusable Internet Censorship Systems<https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship>
netscout.com<https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship>


--------------------------------------------

Roland Dobbins <roland.dobbins@netscout.com>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal