Well it turned out it was a mobile application “classmates” produced and distribuited for free by mail.ru the reason for the unusual considereable amount of traffic on one if my ip addresses
In this and this article i diescribed the unusual 404 traffic i started receiving right after having added a new ip address to my server.I went through the logfiles and i got information both on referer and file requests and i discovered that the referer was always some subdomaini of mail.ru.
Then i picked some of the destination urls and i start searching, at this poit (i can’t recall precisely how i did) i discovered it was a mobile app called “classmates” that was trying to get data from my server the usual way mobile apps do:webservices+xml; these requests were made suspiciously without using a specific hostname, but just the IP address.
Unusual Isn’t it?
Why developers should hardcode the webservices server IP address, and why should they use an ip addres for this in place of an easy-to-manage hostname?
The answer is the simpliest: they didn’t.
Obvious: since the traffic was big but not huge, i think that just one/some russian DNS servers has been attacked and poisoned. Now, why my ip? i think it’s a typo error made by the attacker, as i gathered information about this very ip address from my provider and they told me that that ip address belongs to them since a considereable (in this terms) long time. That’s why the only possibility is a DNS poison going on still while i’m writing. Still going on because i already sent a couple of emails to them but i think they didn’t even take in consideration 🙂 … russian antispam maybe doesn’t want gmail… 😀 anyway i solved by my side with my provider that promplty changed my address to another one.
I hope this wil be ok…