5 replies

Weird HTTP traffic passing through [HTTP 499 with random referers]

We've been experiencing weird attacks coming through CF. The requests are HTTP/2.0 with no CF-Connecting-IP Header and random referers.

172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

1.5k req/s passed through to the server.
Any ideas on how to handle these better and stop them from passing through to the origin?

Weird HTTP traffic passing through [HTTP 499 with random referers]

We've been experiencing weird attacks coming through CF. The requests are HTTP/2.0 with no CF-Connecting-IP Header and random referers.

172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

1.5k req/s passed through to the server.
Any ideas on how to handle these better and stop them from passing through to the origin?

Weird HTTP traffic passing through [HTTP 499 with random referers]

Weird HTTP traffic passing through [HTTP 499 with random referers]

Similar Threads

Similar Threads

Similar Threads