Why is this China IP hitting my web site?

ip ip-address web address china

Welcome to hosting a website on its own IP address. You can put a host on a public IP nowadays and chances are you'll get hit with a scan before the end of the day, probably sooner. Often times the source is just scanning up and down the IP ranges looking for running web, mail or shell servers to attack. They may not even know your website's proper domain name.

Updating my answer since I notice its now the top site that comes up when you ask this question and similarly worded ones. So much has happened in this field since 2011, when I originally answered your question.

China has a sophisticated state funded cyberattack force that is constantly scanning most of the Internet on a daily basis looking for vulnerable website software and services. They will do repeat scans so you'll see the same IPs over and over again in your logs and site stats. This has been going on since at least as far back as the late 1990s, but in recent years has increased significantly.

Chances are your site is going to be hit by other countries and from inside the US as well by adversaries also looking for vulnerable sites, but right now China is by far the largest source of these types of attacks. As always, you should make sure your website's software is kept up to date because if you are running any vulnerable version of popular software you can bet it will be exploited quickly.


Can you tell me why my site would be getting this type of hit? Is this normal? Is this a bot?

Because you're hosting a website, wait for it, on the World Wide Web. Not the United States Web.

Don't worry about it. If you really don't want China to hit your website then put appropriate firewall rules in place to block that traffic.


Many chinese people also speak the lingua-franca of the web, which is essentially english. I'd set up google analytics to track who's referring links to your site.

As long as it isn't a Denial of service situation, it might be positive for your sites.


Evik - it's possible that franchoice or bison were trying to gain organic search dominance by purchasing up multiple keyword heavy domain names and pointing them to the same codebase. They might have even promoted some of these domains by purchasing links on affiliate websites which in turn get spidered by the search robots which then show up in your log files - It's not possible to know if it's robot traffic or user traffic with only log data. You might have better luck collecting user agent data.

Related

IPv6 link-local routing
fail2ban bans me after a series of *successful* logins
Apache on Localhost to block incoming connections outside localhost
How to clone computers to give each an unique computer name
Best way to tag/identify processes for killing them later?
Connections establish slowly, while download rate is great -Linux
Error upgrading Ubuntu server from Intrepid to Jaunty
How Do I Install Net-SNMP on Windows??? (without visual studio)
Wake on LAN over different subnets
How often should tape backups be verified?
In Ubuntu can root overwrite any file?
SSH restart and kill instances?