Hostname Spoofing Attempt

Complexity: Medium (3.0)

Default Response: 1x = 1 Day Block

Cause: WebApp Secure expects certain indexing clients (like Google, Yahoo! and others) to visit protected sites. These clients are identified by their originating hosts, and those hostname patterns are defined in the Client Classification Incident options. This incident is triggered when a client attempts to spoof the hostname of the IP they are originating from. A forward-confirmed reverse DNS lookup is performed to compare the client provided hostname with the actual resolved hostname.

Behavior: Manipulating the hostname requires some manipulation of a local DNS cache and has no legitimate purpose. This type of behavior is possibly related to a user that is attempting to appear to be scanning a website under the guise of another legitimate spider. If the user is knowledgeable about WebApp Secure counter response behavior, they may be attempting to avoid counter responses that are intended for clients which are not legitimate spiders.