Will the Real tide*.microsoft.com Please Stand Up?
Yesterday in a routine overview of server log files I came across one website that had substantially more traffic than usual. An investigation started. I was hoping to find evidence of the “slashdot effect” and discover the traffic was real. However that was not the case.
Instead I discovered that one particular IP address had made over 21,000 requests for the same page within 30 minutes. The IP address was 131.107.0.102 and I immediately started blocking that IP address at the firewall.
The IP address resolves back to tide532.microsoft.com. At first I suspected MSNbot had become dazed and confused while crawling the site. However I also noticed that the User-Agent wasn’t reported as MSNbot, but rather as a Windows 98 PC. Weird.
I started to Google things like “tide.*microsoft.com”, “tide.microsoft.com”, “tide microsoft.com” and came up with some interesting results. Some websites seemed to think that it was indeed MSNbot. But why they use a user-agent of Windows 98 and totally hide the fact that it was a bot? Perhaps they are having trouble with sites serving up different content for bots than “regular” visitors and they are being stealthy?
Other websites seemed to be pointing to some sort of conspiracy theory that the tide servers are a way Microsoft is measuring market-share of their IIS webserver software. Several websites mentioned this was the function of those servers.
So I sent an email to MSN Search asking if the IP address was MSNbot. They didn’t answer my question but instead asked to see server logs. I sent them two or three lines and asked again if the IP address was part of MSNbot. And again they replied without answering my question, instead asking for more server logs. I sent them a few hundred grepped lines of the IP address making the same request over and over for the same URL. I also repeated my query to them if the IP was MSNbot. So far no response.
All of my other emails were responded to within an hour, my last email to them hasn’t been responded to yet and it has been almost 24 hours. So my search for an answer continues… Who or what is tide.*microsoft.com? Why did it make 21,000+ requests for the same URL on my site within 30 minutes? Inquiring minds want to know!
Explore posts in the same categories: Computer Technology, SEO Search Engine Optimization, Website Development
June 14th, 2005 at 8:30 pm
Did you get a final reply from MSN regarding this?
June 14th, 2005 at 8:34 pm
No, they stopped responding to me about it.
August 7th, 2005 at 10:56 pm
Tim, tide*.microsoft.com are Microsoft Campus’ internal lan proxy servers. Anyone viewing this website from inside the microsoft campus will appear under this IP address.
For more information please feel free to read up on it @ http://channel9.msdn.com/ShowPost.aspx?PostID=97535
August 8th, 2005 at 10:56 am
Iain,
Thanks for the information. So I wonder why someone at the Microsoft Campus decided to make 21,000 requests for a page on this site in a 30 minute period.
August 8th, 2005 at 11:46 am
Well there are no guarantees that it was one person, as this one IP address will most probably cover a whole campus. Maybe your site is popular internal reading over @ MS?
August 8th, 2005 at 12:10 pm
That would be quite ironic if this site was popular over in Redmond.
August 16th, 2005 at 1:57 pm
As of today, I am also a victim of “tide” (tide532.microsoft.com). I wasn’t flooded, but awfully surprised by the log entries. More to come
August 16th, 2005 at 7:33 pm
A follow-up article regarding my above comment:
http://chipcuccio.us/2005/08/16/ms-employee-using-firefox/
July 5th, 2007 at 12:32 pm
For the last month (at least) we’ve been getting over 100,000 requests daily (sometimes 150,000) for our SaleRss feed from tide532.microsoft.com. It would be nice to have a few answers before I ban the IP.
July 31st, 2007 at 12:07 pm
The requests are comming from employee computers at that specific campus that uses this gateway.