Cloudflare Developers•4mo ago

Weird HTTP traffic passing through [HTTP 499 with random referers]

We've been experiencing weird attacks coming through CF. The requests are HTTP/2.0 with no CF-Connecting-IP Header and random referers.

172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

1.5k req/s passed through to the server. Any ideas on how to handle these better and stop them from passing through to the origin?

4 Replies

Doxylamin•4mo ago

After further investigation it looks like the HTTP/2 Rapid Reset Attack Vector, which seems to be non-mitigated by cloudflare?

Beny•4mo ago

Cloudflare is protected by rapid reset: https://cloudflare.com/h2/ Perhaps they went to the origin server directly?

HTTP/2 Rapid Reset Attack Protection | Cloudflare

Cloudflare protects against HTTP/2 Rapid Reset DDoS attacks - sign up and get protected or reach out now for immediate under attack assistance.

trentk•4mo ago

You could probably mitigate at least a portion of this by just blocking most of those referers. How many people are getting referred from https://instagram.com/ ? even if you have an instagram page, the referrer isn't going to be just the homepage, right? Same thing with Amazon, Google, Facebook, etc.

Instagram

Doxylamin•4mo ago

As you can see in the attached image, all requests are coming from CF's IP range. https://radb.net/query?keywords=172.70.47.130

Gaming

Programming

Weird HTTP traffic passing through [HTTP 499 with random referers]