Apache: Excessive GET requests from Windows 7 host

pwatk · 01-17-2013, 04:09 PM

Hi,

I seam to be having an issue with my wife's new Windows 7 laptop sending GET requests every sixteen seconds to the web server (Apache in this case) on our network.

There's an example:

Code:

192.168.10.50 - - [15/Jan/2013:14:02:05 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:02:22 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:02:38 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:02:56 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:03:12 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:03:28 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:03:44 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:04:01 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:04:17 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:04:33 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:04:49 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:05:06 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:05:22 +0000] "GET / HTTP/1.0" 200 254 "-" "-"
192.168.10.50 - - [15/Jan/2013:14:05:38 +0000] "GET / HTTP/1.0" 200 254 "-" "-"

The server provides a number of services including DNS , DHCP, Samba shares and various web applications.

The laptop obviously uses the server for DNS and DHCP but has never been used to access any of the web applications.

I really cannot figure out why this is happening so I'd appreciate it if anyone could try to point me in the right direction.

Thanks.

Kustom42 · 01-17-2013, 04:14 PM

Try using wireshark with an http filter on the windows 7 machine to see if it gives you more info on what is generating the requests. that would be my first step

pwatk · 01-19-2013, 01:56 PM

What I neglected to mention is this only happens intermittently so analysis is kind of difficult and I doubt this makes any difference but the index.html file is totally empty (I'm not serving any static pages).

We've tried narrowing it down by reproducing all the things she did during her last session but nothing was recorded in the logs. She was on the laptop for about an hour and a half and did very few activities other than an online educational course and visiting Facebook.

I can't say this is really causing a problem (every 16 seconds is hardly a DOS attack) it's just weird and since each request is missing a header it's difficult to narrow down.

Windows is so annoying!

unSpawn · 01-19-2013, 02:29 PM

...then use tcpdump or tshark with a BPF filter for "source host 192.168.10.50 and destination port 80" on the server and save the packets to file, collect them later on and then analyze with Wireshark?

Kustom42 · 01-22-2013, 12:52 PM

Yep, gonna have to packet capture this one. Wireshark on the windows 7 box with the filters recommended would be my first step.

pwatk · 01-24-2013, 05:37 AM

I finally managed to figure this out, it appears to be something to do with the SSDP protocol.

I guess the service running on the laptop isn't getting the response it wants/expected so it just keeps trying for an hour. When I've got time I might try to fix it (if it really needs fixing).

Thanks for helping everyone.

Kustom42 · 01-28-2013, 02:04 PM

Ah SSDP... Same Sh*t Different Protocol?

At least you narrowed it down, do you know what app is using this protocol? If you don't have an installed app actually using it and it's just windows trying to discover you can simply turn off the SSDP Discovery service.