A few weeks ago, a site I work with began seeing a big rise in traffic – from a baseline of 10K visits per day to spikes of as much as 40K. The odd thing was that the traffic looked kind of human, except for a high bounce rate an no actions on the site. The IP addresses were diverse and typical of consumers. All were Windows users of varying vintages and all the browsers were Internet Explorer, from version 6 to 9. These “visitors” were fully recorded by Google Analytics.
A discussion I started at WebmasterWorld, Logs Show Surge, but Not Human? (featured on the site’s home page as “Site Logs Show Traffic Surge: Human or Zombie?”), revealed that other webmasters were also seeing these mysterious traffic surges. While nobody reported DDOS-levels that would take a site down, the increase in bandwidth and poor engagement metrics were worrisome to webmasters. All removed Adsense from the pages that were seeing the traffic blast due to plummeting click metrics. At least one webmaster shut a site down as it was unusable as an ad platform with the inflated traffic.
Nobody was able to suggest a reason behind these attacks, but the source was generally assumed to be a botnet composed of infected Windows machines due to the OS and browser metrics. There was even discussion of whether the traffic could be detected and an infection warning displayed to the presumably oblivious user.
A clue?
Surprisingly, there have been few reports of this strange activity outside of WebmasterWorld. Today, though, one member linked to a comment at Google Groups that sounded somewhat similar. There, “Maz945” reported seeing a traffic surge similar to the ones I describe and being solicited at the same time for a web monitoring service called Gomez from Compuware. Maz complained to Compuware when he found out they also have a large load testing network. The firm denied having anything to do with the traffic, but it stopped immediately after that complaint.
Who is Gomez?
With Maz’s comments pointing the way, I dug into Compuware and Gomez a little. They operate the Gomez Peer Zone, a scheme that signs people up to make money at home using the idle capacity of their PC. Specifically, their site says, the background app they download “leverages your system’s idle resources (such as unused processing power, RAM, and bandwidth) to test the performance of many of the world’s most popular websites.”
Their pay scale won’t make Gomez users rich – they get paid a minimum of $5 per month, and max out at $45. They can earn a whole dollar when they refer a friend!
How big is this network? A release by Compuware dated last year claimed 150,000 nodes. More recently, Gomez welcomed 1,600 new “peers” activated on February 16!
Load Testing for Dummies
While poking around I found that Compuware has actually issued a branded version of Web Load Testing for Dummies! So, this company is presenting itself as an expert in load testing and building a giant network of slave machines for a few bucks a month each…
Gomez Does Windows
The only defining characteristics of the big traffic surges has been a Windows monoculture. All the operating system metrics show various Windows versions and IE browsers. Gomez’s system requirements dovetail neatly with that:
- An active Internet connection
- 500 Mhz Pentium III or higher
- Windows XP/2003/Vista/2008 and Windows 7 (x64 platforms are also supported)
Specifically, they state, “Gomez PEER is available for Windows XP/2003/Vista/2008 and Windows 7 (x64 platforms are also supported). Linux, Mac and Solaris are not supported.”
Can You Shed Some Light?
At the moment, it is only speculation that Compuware’s network of Gomez slave machines is responsible for these sometimes devastating attacks. I’d welcome comments from anyone who can shed some light on this mystery. Are you seeing big, inexplicable traffic surges? Do you have any indication of what kind of network is responsible for them? Leave a comment, or use the contact form to drop me a note!
[ADDED: I was unable to locate an abuse contact at Compuware or Gomez. In fact, all I could find was a listing here that said that [email protected] was not working and hence did not comply with RFC2142.
Rather than take my chances with a catch-all contact form, I have reached out to @gomezpeerzone and @compuware via Twitter. If they respond, I will publish their comments here. If Compuware and Gomez aren’t the source of this traffic, perhaps they can shed some light on who is. Stay tuned!]
