The following is the result of scanning all HTTP access logs between 2002-06-10 and 2004-01-21 (the log current at the the time the intense attack began) for sequences of accesses which match the pattern of the attack. All access sequences which contained five or more consecutive hits to the home page without any intervening hit to another page were logged. The vast majority of these had only a few more hits to the home page and enormously more hits to other pages; these were excluded. The following access sequences, which go as far back as 2003-01-12, more than a full year prior to the current attack, all closely match the pattern of the currently attacking host. With the exception of the first entry in the table, none hit any other pages on the site. I include the first entry as an exception both because it is the first and because of the extraordinary history of accesses from this site between January and late November 2003. (Note that many IP addresses appear multiple times in this table because their access patterns appeared in different archived log files. HTTP log files at Fourmilabl are cycled at irregular intervals, whenever they're approaching 2 Gb in size.). The site in the first entry, IP address 68.35.92.91, which presently resolves to bgp01391858bgs.sequoa01.nm.comcast.net (this may have changed since the time of these accesses--there's no way to know, but it's almost certainly a comcast.net customer), hit the site between January 12 and November 25 2003, with a total of 43,249 times with only 29 other hits. I thought it would be interesting to see what *those* hits were, and upon scanning the log file for them, they turned out to be "HEAD / HTTP/1.1" requests--in other words, *still* requests for the home page, but just for its header information, not the page text--still no retrievals of any other page. Further, the HEAD requests started right at the beginning of that log file, and followed the pattern of the subsequent attack with GET requests, switching from HEAD to GET on 2003-01-12:06:22:55 with a few (the 29 "Other Hits") HEAD requests subsequently, none after 14/Jan/2003:00:03:09. Looking back into the previous log, the attack pattern hits from this site started on 2002-12-06 18:16:31, but no earlier instances were seen in this log or the one before it which extends back until 2002-09-27. December 6, 2002, then, appears to be when the first site started hitting with HEAD requests. GET hits only: Hours Seconds Other Hits IP Address First Hit Latest Hit Active per hit (avg) Hits 2167 68.35.92.91 2003-01-12 06:22:55 2003-01-25 06:56:01 312 519 29 bgp01391858bgs.sequoa01.nm.comcast.net 142 200.158.222.231 2003-01-18 05:52:17 2003-01-19 01:54:36 20 508 0 200-158-222-231.dsl.telesp.net.br 138 200.158.222.29 2003-01-19 09:14:02 2003-01-20 04:50:31 19 511 0 200-158-222-29.dsl.telesp.net.br 4705 68.35.92.91 2003-01-25 07:31:59 2003-02-23 19:52:44 708 541 0 bgp01391858bgs.sequoa01.nm.comcast.net 2983 217.33.123.50 2003-02-13 11:20:36 2003-02-23 19:57:42 248 300 0 ? 4760 68.35.92.91 2003-02-23 20:00:04 2003-03-23 01:10:19 653 493 0 bgp01391858bgs.sequoa01.nm.comcast.net 170 217.33.123.50 2003-02-23 20:02:41 2003-02-24 10:17:44 14 301 0 ? 503 62.253.192.42 2003-03-18 10:50:34 2003-03-21 10:43:39 71 514 0 ? 3844 68.35.92.91 2003-03-23 01:17:30 2003-04-15 12:43:38 562 526 0 bgp01391858bgs.sequoa01.nm.comcast.net 1055 64.122.51.111 2003-04-02 17:35:57 2003-04-09 00:38:32 151 515 0 ? 5771 68.35.92.91 2003-04-15 12:50:47 2003-05-15 15:20:18 722 450 0 bgp01391858bgs.sequoa01.nm.comcast.net 766 207.158.50.99 2003-05-06 07:43:19 2003-05-15 15:14:34 223 1050 0 ? 1255 64.122.51.111 2003-05-07 17:15:36 2003-05-13 18:02:30 144 415 0 ? 6740 68.35.92.91 2003-05-15 15:29:11 2003-06-20 14:07:30 862 460 0 bgp01391858bgs.sequoa01.nm.comcast.net 441 207.158.50.99 2003-05-15 15:31:15 2003-05-27 09:57:42 282 2305 0 ? 878 207.158.50.105 2003-05-30 06:16:09 2003-06-09 19:52:45 253 1039 0 ? 717 64.122.51.111 2003-05-28 19:21:59 2003-06-20 14:11:31 546 2745 0 ? 2199 68.35.92.91 2003-07-30 22:07:18 2003-08-11 20:42:24 286 469 0 bgp01391858bgs.sequoa01.nm.comcast.net 4728 64.237.60.52 2003-08-08 11:53:21 2003-08-11 20:42:22 80 61 0 ? 4902 68.35.92.91 2003-08-11 20:50:32 2003-09-09 02:43:31 677 497 0 bgp01391858bgs.sequoa01.nm.comcast.net 4023 64.237.60.52 2003-08-11 20:44:07 2003-08-19 20:36:38 191 171 1 ? 3703 64.122.51.111 2003-08-12 05:07:58 2003-09-07 22:42:42 641 623 0 ? 1315 64.237.60.18 2003-08-21 17:46:17 2003-08-23 22:11:09 52 143 0 ? 429 12.203.220.137 2003-09-10 11:17:44 2003-09-11 15:53:57 28 240 0 12-203-220-137.client.attbi.com 3753 68.35.92.91 2003-09-13 20:50:30 2003-10-06 05:13:05 536 514 0 bgp01391858bgs.sequoa01.nm.comcast.net 496 64.122.51.111 2003-10-16 16:47:18 2003-10-19 08:32:30 63 462 0 ? 2662 68.35.92.91 2003-10-20 18:46:38 2003-11-07 04:22:39 418 566 0 bgp01391858bgs.sequoa01.nm.comcast.net 2455 64.122.51.111 2003-11-13 22:46:07 2003-11-25 10:51:58 276 404 0 ? 1746 68.35.92.91 2003-11-15 22:39:40 2003-11-25 10:49:02 228 470 0 bgp01391858bgs.sequoa01.nm.comcast.net 2700 66.250.131.50 2003-12-07 08:46:00 2003-12-08 15:52:15 31 41 0 ? 300 66.250.131.50 2003-12-10 15:07:04 2003-12-10 16:52:12 1 21 0 ? 3761 66.250.131.50 2003-12-24 16:35:17 2004-01-18 11:32:04 594 569 0 ? 274 64.239.138.76 2004-01-12 21:43:05 2004-01-21 17:36:20 211 2783 0 colo3.hostcloud.com Previous HEAD and GET hits: Hours Seconds Other Hits IP Address First Hit Latest Hit Active per hit (avg) Hits 645 68.35.92.91 2002-12-06 18:16:31 2002-12-10 13:57:47 91 511 0 bgp01391858bgs.sequoa01.nm.comcast.net 1488 68.35.92.91 2002-12-10 15:16:05 2002-12-22 23:08:23 295 715 0 bgp01391858bgs.sequoa01.nm.comcast.net