Cloudflare Developers•3y ago

Worker requests does not match dashboard

I see Requests today 76,409 / 100,000 but checking the workers I don't see so many requests.

Ricardo ViteriOP•11/17/23, 7:19 PM

I usually use around 2500 requests per day, so something is very off

RRicardo Viteri I see Requests today 76,409 / 100,000 but checking the workers I don't see so ma...

Chaika•11/17/23, 7:29 PM

That includes Workers & Pages. For Workers you can sort by Requests and see, for Pages you have to go to each and see the Function Metrics for prod/preview

Ricardo ViteriOP•11/17/23, 7:30 PM

Correct

Ricardo ViteriOP•11/17/23, 7:31 PM

still, I've never had so much traffic

Ricardo ViteriOP•11/17/23, 7:31 PM

almost all workers are internal apps

Chaika•11/17/23, 7:31 PM

I would assume it is correct, haven't heard any case of it being wrong (although it can be a bit delayed), you just have to find them somewhere in the list. You checked all your Pages projects and such?

Ricardo ViteriOP•11/17/23, 7:31 PM

pages too

Ricardo ViteriOP•11/17/23, 7:31 PM

yes

Ricardo ViteriOP•11/17/23, 7:34 PM

this is the only public facing app

Ricardo ViteriOP•11/17/23, 7:35 PM

found the app, this is an internal app. We've never had this happen.

Ricardo ViteriOP•11/17/23, 7:36 PM

Ricardo ViteriOP•11/17/23, 7:36 PM

this is yesterday

Chaika•11/17/23, 7:37 PM

What type of app is it? Normally spikey traffic patterns?
If you have a Worker Custom Domain/Route on it attached to a pro or higher domain, you can get some better analytics out of it

Ricardo ViteriOP•11/17/23, 7:37 PM

it never spikes

Chaika•11/17/23, 7:37 PM

but it spiked today and yesterday? If you look out to the last week, any other times?

Ricardo ViteriOP•11/17/23, 7:37 PM

only today I see

Ricardo ViteriOP•11/17/23, 7:38 PM

yesterday was fine

Ricardo ViteriOP•11/17/23, 7:38 PM

about 2k request per day

Ricardo ViteriOP•11/17/23, 7:38 PM

today 74k

RRicardo Viteri Click to see attachment

Chaika•11/17/23, 7:38 PM

This looks like "spikey" traffic to me, around the same time as the tons of requests today

Chaika•11/17/23, 7:39 PM

to me that kind of looks like legit traffic just based on the time frames matching up, it didn't happen off normal peak time, it is a worker consumed by an API or something that could call it a ton of times potentially?

Ricardo ViteriOP•11/17/23, 7:39 PM

no, it is a sveltekit app

Ricardo ViteriOP•11/17/23, 7:39 PM

so UI and making calls to a DB via graphql

Chaika•11/17/23, 7:40 PM

Requests go through a custom domain, or using the default workers.dev?

Ricardo ViteriOP•11/17/23, 7:40 PM

custom domain

Chaika•11/17/23, 7:40 PM

Check Analytics from Domain? If it's Pro or higher you could really scope in and try to see where they came from

Ricardo ViteriOP•11/17/23, 7:43 PM

I'm on the free plan

Ricardo ViteriOP•11/17/23, 7:43 PM

Chaika•11/17/23, 7:43 PM

I'd look at Requests, not unique

Ricardo ViteriOP•11/17/23, 7:44 PM

Ricardo ViteriOP•11/17/23, 7:44 PM

I see the spike

Ricardo ViteriOP•11/17/23, 7:44 PM

but why

Chaika•11/17/23, 7:44 PM

You could check Security -> Events to see if any were blocked and would give us any more info

Ricardo ViteriOP•11/17/23, 7:45 PM

Chaika•11/17/23, 7:49 PM

Hmm so they came through the Custom Domain, either not an attack or too small to be detected (75k requests isn't very many over ~3 hours, only a few requests/second.
I think the trail mostly ends there then unless your Worker/origin behind the worker has other logs to look at, would need Pro to get more info on the requests.
You could set up rules to try to prevent this -- assuming it is an attack - in the future, such as the free unmetered rate limiting and such. It looks like it kind of stopped against that worker, otherwise you could enable Under Attack Mode (or use a config rule to just challenge a specific subdomain) which would challenge every visitor and then you could get some info via Security Events: https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366

Ricardo ViteriOP•11/17/23, 7:51 PM

okay, maybe it was an attack. I am going to check the login server to see the attempts to log in that app.

Worker requests does not match dashboard

Similar Threads

Similar Threads

Similar Threads