Traffic being directed at random infrastructure with pornhub.com host header (?)

Has anyone else recently seen a spike of port 80 traffic being sent at seemingly random IP addresses that include the Pornhub host header?

0: 000C3170 A440000F 35F95000 08004500 …1p$@…5yP…E.

16: 004D0997 4000F006 F8D59DF5 7C90CFB6 .M…@.p.xU.u|.O6

32: 9E010050 00500000 67D50000 000B5002 …P.P…gU…P.

48: FFFF6559 00004745 54202F20 48545450 …eY…GET / HTTP

64: 2F312E31 0D0A486F 73743A20 706F726E /1.1…Host: porn

80: 6875622E 636F6D0D 0A0D0A00 hub.com…

Just thought it was quirky and was wondering if anyone else had seen it. This particular payload was directed at a Cisco router.

Offlist is fine if needed.

-Drew

Yes. The source possible, hopefully being research or commercial
scanners perhaps? I've seen a host from a US midwest EDU source
doing this. User agent string in that case was "Mozilla/5.0 quack/1.x"

It may be some sort of censorship measurement or perhaps even something
like this type of work:

  <Weaponizing Middleboxes for TCP Reflected Amplification | USENIX;

John

Has anyone else recently seen a spike of port 80 traffic being sent at seemingly random IP addresses that include the Pornhub host header?

It may be related to this:

<https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship&gt;
[what-is-a-reflection-amplification-ddos-attack-blog-header_1600x900.jpg]
HTTP Reflection/Amplification via Abusable Internet Censorship Systems<https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship&gt;
netscout.com<https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship&gt;