HTTP Header reordering- who is the culprit?

[JT]

Hi all, I have an issue that I am trying to solve, and i only have a
few clues, but they have led me to identifying Novell BorderManager as
the probable cause. Does BM alphabetize HTTP headers when requests are
sent through it?

I have a user at a certain IP who is unable to access the site due to
a fingerprinting script which identified too many irregularities for
his claimed browser.

I am trying to determine if the client was a bot, or an actual human
who was experiencing legitimate issues.

Searching the internet for the IP reveals that a user posted in the BM
proxies forum on novell's site back in 2005, so at least at that time,
BM was in place. Whether it still is, i don't know.

I have two 'types' of requests from this user, one which looks like
this:

Host ********************
User-Agent Mozilla/4.0 (compatible;)
Accept text/html, */*
Accept-Encoding gzip, deflate, identity
Cache-Control max-stale=0
Connection Keep-Alive
X-BlueCoat-Via *************

This is clearly a bot. The last 3 headers have been appended by a
BlueCoat proxy, but removing those headers, we can clearly see the
headers have not been alphabetized. Thus, the BC proxy does not
alphabetize the headers.

second request style:

Accept */*
Accept-Encoding gzip, deflate
Accept-Language **-**
Host *************
UA-CPU x86
User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
X-NovINet v1.2
Cache-Control max-stale=0
Connection Keep-Alive
X-BlueCoat-Via *****************

again, last 3 headers are added by the BC proxy. They are outside the
alpha block of headers, so the BC proxy was the last node in the
chain, and the reordering happened prior to being routed by the BC
proxy.

All headers are valid for the claimed user agent, so aside from the
order, this looks legit. The previous bot requests, however, suggest
maybe another bot is being used, this one attempting to spoof an
actual browser.

X-NoviNet is some sort of novell authentication header. Is this added
by BorderManager?

Does BM have an option anywhere in the configuration to reorder the
headers? is that enabled by default? Where does the X-Novinet header
come from?

Does anyone know any other hardware/software causes of header
alphabetization? I know AT&T wireless will alphabetize headers (why do
they need to parse headers unless they're logging real-time to a db or
something?), and Webwasher will do the same thing, but it announces
itself in the Via header. Anyone know any others?