What’s wrong with 209.88.228.11 and/or Konqueror?
Today I received over 100,000 hits like this:
209.88.228.11 - - [04/Oct/2005:16:57:52 -0400] "PROPFIND /error/notfound.html/ HTTP/1.1" 302 240 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)"
It looks like the person actually came to my site for a legitimate reason:
209.88.228.11 - - [04/Oct/2005:09:50:41 -0400] "GET /weblog/2005/08/ HTTP/1.1" 200 53323 "http://www.google.com/search?hl=en&ie=UTF-8&q=download+growisofs+5.21+debian&spell=1" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)"
and then wanted to see the contents of my /blogimages directory. That directory (where I store images that appear on this blog) cannot be publicly viewed:
209.88.228.11 - - [04/Oct/2005:09:52:19 -0400] "PROPFIND /blogimages/ HTTP/1.1" 302 239 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)" 209.88.228.11 - - [04/Oct/2005:09:52:19 -0400] "PROPFIND /error/notfound.html/ HTTP/1.1" 302 239 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko) (Debian package 4:3.4.1-1)"
But why would this failed request repeat more than 100,000 times, basically every second for hours? Is this a very bad konqueror behavior, or a well camouflaged denial-of-service attack, or something else entirely? This kind of thing could generate some bad press for free software unless there’s a good explanation (“Konqueror security hole swamps innocent websites,” etc..).