Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some type of load balancer? This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually something you would see back to the clients, not tp the server. Also, IIRC, the LOIC DoS tool had this ability to create random strings in the URL, and I believe it did so with 5 characters. Might want to do a packet trace and identify if this is coming from LOIC. Regards, Stefan Fouant Technical Trainer, Juniper Networks GPG Key ID: 0xB4C956EC Sent from my HTC EVO. ----- Reply message ----- From: "Christopher J. Pilkington" <cjp@0x1.net> Date: Tue, Nov 1, 2011 3:51 pm Subject: Random five character string added to URLs? To: <nanog@nanog.org> This might be off-topic, my apologies if so. I seeing requests against a server with initial GET requests in the form: GET /[a-zA-Z]{5}/pagename.html pagename.html being optional. The 5 character string seems to be random. This GET always results in a 404, as our servers don't have these paths. The second request seems to always the same without the modified path, which results in a 20. I initially suspected this was something from an attack or DOS tool, but the traffic doesn't fit such a pattern. Is anyone familiar with what device/service behaves in this fashion? Clearly something layer 7 is between the clients and the server. Provider is without clue regarding this. Google results in many GoDaddy users complaining of same; the server in question is not hosted with them, but I suspect they may be doing something similar. Thanks, -cjp