Identify these HTTP servers/devices, receive something cool

[Update 6/27: Dan a.k.a. "Mr. Smoot" pointed me to a URL that further confirms #3 as a NetScaler device, as well as makes a convincing case that #4 is a NetScaler device as well. In addition, he helped narrow down the possible list of suspects of #1 to Radware devices]

[Update 6/11: Ryan P. pointed me to Citrix NetScaler devices, which further research indicates is the right answer to #2; other Citrix/NetScaler family devices may also prove to be the answers to #1 and #3, and even have similar behavior to #4. However, I'll still take concrete answers for #1, #3, and #4]

Below are some oddball/unique HTTP responses with strange behaviors I've recently ran across while surfing the 'Interweb', and I'd like your help in identifying the underlying software/device. In exchange, the first person(s) to provide reasonable information for each of the items have the option to receive a free SPI Dynamics t-shirt or, if you're going to BlackHat Las Vegas 2007, an invite to the after-hours SPI party at Tao. You don't have to have an answer for all of the items below--any single one is fine.

Basically I'm looking for the as much information as possible, particularly the vendor and software name, and then any additional information (configuration that causes the exhibited behavior, etc.). Please don't take guesses--I'm looking for confident answers from people who have encountered these scenarios before and know first (or second) hand the exact software/device that exhibits these behaviors. I've already done a moderate amount of Googling, to no avail; it's extremely unlikely that a few web searches are going to be enough to identify these items. But you're more than welcome to try anyways.

Without further ado, let's get identifying!

1. The web device (proxy, cache, load balancer, surrogate, etc.) that changes the "Content-Length:" header into "Xontent-Length:", as used by www.paypalobjects.com (make a 404 request to see the behavior); the underlying server is thttpd, and thttpd does not exhibit that behavior internally, so it must be an intermediary HTTP device. The partial HTTP response looks like:

[Update 6/27: this is potentially a Radware device]

HTTP/1.0 404 Not Found\r\n
Xontent-Length: \r\n
Server: thttpd/2.25b 29dec2003\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
Last-Modified: Tue, 05 Jun 2007 17:01:12 GMT\r\n
Accept-Ranges: bytes\r\n
Cache-Control: no-cache, no-store\r\n
Date: Tue, 05 Jun 2007 17:01:12 GMT\r\n
Content-Length: 329\r\n
Connection: close\r\n
\r\n

2. The web server that identifies itself with the "Server" banner "NS_3.0", as used by www.paypal.com.cn and totale.usc.edu (no, it is not a Netscape 3.x server). Note the broken "Content Type" and "Cache Control" headers. Is this something from NetworkEngines? The response looks like: (Note: the Location header value has been removed)

[Update 6/11: reasonably sure this is a NetScaler device]

HTTP/1.1 302 Object Moved\r\n
Server: NS_3.0\r\n
Location: ...\r\n
Content Type: text/html\r\n
Cache Control: private\r\n
Connection: close\r\n
\r\n

3. The web device (proxy, cache, load balancer, surrogate, etc.) that uses a "Via:" header signature of "NS-CACHE-6.0", as used by www.ireland.com and developer.mozilla.org (make a 404 request to see the behavior); it also has the "Xontent-Length" header switch, an all-alpha, all-caps "Etag" value, and a superfluously spaced "Age" header value; is this a iPlanet/Netscape/Sun product? Does anyone know anyone officially at Mozilla.org they can ask? Also note the Xontent-Length header--this may relate back to #1. The response looks like:

[Update 6/27: this link seems to confirm the device as being a NetScaler; also, NetScaler devices ship with software version 6.0 by default, which further confirms it based on version number]

HTTP/1.1 404 Not Found\r\n
Age: 7 \r\n
Date: Tue, 05 Jun 2007 17:04:05 GMT\r\n
Xontent-Length: \r\n
Connection: Close \r\n
Via: NS-CACHE-6.0: 101\r\n
ETag: "KXDEBBLANKSQVXUM"\r\n
Server: Apache\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
\r\n

4. The web device (proxy, cache, load balancer, surrogate, etc.) that changes the "Connection:" header into "nnCoection:"; there's some speculation that it's a Netapp NetCache, but I haven't seen this behavior from our own NetCache devices. Various Amazon web sites are known to exhibit this behavior, but I've seen it elsewhere as well. The response looks like:

[Update 6/27: seems to be a NetScaler device]

HTTP/1.1 200 OK\r\n
Date: Tue, 05 Jun 2007 17:05:18 GMT\r\n
Server: Server\r\n
Vary: Accept-Encoding,User-Agent\r\n
Content-Type: text/html; charset=ISO-8859-1\r\n
nnCoection: close\r\n
Transfer-Encoding: chunked\r\n

To identify any of the above, you can either leave a comment to this blog post (be sure to include your email address), use the email contact web form (again, be sure to include your email address), or send me email directly via username jforristal at the domain spidynamics.com.