Worker requests does not match dashboard
I see Requests today 76,409 / 100,000 but checking the workers I don't see so many requests.
27 Replies
I usually use around 2500 requests per day, so something is very off
That includes Workers & Pages. For Workers you can sort by Requests and see, for Pages you have to go to each and see the Function Metrics for prod/preview
Correct
still, I've never had so much traffic
almost all workers are internal apps
I would assume it is correct, haven't heard any case of it being wrong (although it can be a bit delayed), you just have to find them somewhere in the list. You checked all your Pages projects and such?
pages too
yes
this is the only public facing app
found the app, this is an internal app. We've never had this happen.
this is yesterday
What type of app is it? Normally spikey traffic patterns?
If you have a Worker Custom Domain/Route on it attached to a pro or higher domain, you can get some better analytics out of it
no
it never spikes
but it spiked today and yesterday? If you look out to the last week, any other times?
only today I see
yesterday was fine
about 2k request per day
today 74k
This looks like "spikey" traffic to me, around the same time as the tons of requests today
to me that kind of looks like legit traffic just based on the time frames matching up, it didn't happen off normal peak time, it is a worker consumed by an API or something that could call it a ton of times potentially?
no, it is a sveltekit app
so UI and making calls to a DB via graphql
Requests go through a custom domain, or using the default workers.dev?
custom domain
Check Analytics from Domain? If it's Pro or higher you could really scope in and try to see where they came from
I'm on the free plan
I'd look at Requests, not unique
I see the spike
but why
You could check Security -> Events to see if any were blocked and would give us any more info
Hmm so they came through the Custom Domain, either not an attack or too small to be detected (75k requests isn't very many over ~3 hours, only a few requests/second.
I think the trail mostly ends there then unless your Worker/origin behind the worker has other logs to look at, would need Pro to get more info on the requests.
You could set up rules to try to prevent this -- assuming it is an attack - in the future, such as the free unmetered rate limiting and such. It looks like it kind of stopped against that worker, otherwise you could enable Under Attack Mode (or use a config rule to just challenge a specific subdomain) which would challenge every visitor and then you could get some info via Security Events: https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366
okay, maybe it was an attack. I am going to check the login server to see the attempts to log in that app.