Weird HTTP traffic passing through [HTTP 499 with random referers]
We've been experiencing weird attacks coming through CF. The requests are HTTP/2.0 with no CF-Connecting-IP Header and random referers.
1.5k req/s passed through to the server.
Any ideas on how to handle these better and stop them from passing through to the origin?
4 Replies
After further investigation it looks like the HTTP/2 Rapid Reset Attack Vector, which seems to be non-mitigated by cloudflare?
Cloudflare is protected by rapid reset: https://cloudflare.com/h2/
Perhaps they went to the origin server directly?
HTTP/2 Rapid Reset Attack Protection | Cloudflare
Cloudflare protects against HTTP/2 Rapid Reset DDoS attacks - sign up and get protected or reach out now for immediate under attack assistance.
You could probably mitigate at least a portion of this by just blocking most of those referers. How many people are getting referred from https://instagram.com/ ? even if you have an instagram page, the referrer isn't going to be just the homepage, right? Same thing with Amazon, Google, Facebook, etc.
Instagram
Instagram
As you can see in the attached image, all requests are coming from CF's IP range.
https://radb.net/query?keywords=172.70.47.130