As part of my Apache logs, I can frequently observe a sequence of consecutive GET like :
- 46.235.158.196 - Requesting a file
- Some other host requesting the exact same file within the same second with the same user agent
Being said that :
- 46.235.158.196 is said belonging to Symantec
- But said by the SpamHaus infected or NATing for a computer infected with matsnu
- The other host IP varies but is systematically owned by one or another reknown institution
I am wondering wether it is a legal protection service from symantec or a sign that the other host is infected or NATing too ?
The pattern of a security organization or cloud IP doing the same request immediately before implies some form of link following. Probably it is legit security technology. Its not a NAT or proxy if different IPs are doing the requests.
Only of concern if it is abusing your service. There are approaches to rate limiting or intrusion detection you may employ if it is a problem.