Weird HTTP traffic passing through [HTTP 499 with random referers]

We've been experiencing weird attacks coming through CF. The requests are HTTP/2.0 with no CF-Connecting-IP Header and random referers.
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://amazon.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://wikipedia.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://facebook.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
172.70.47.130 - - [23/Apr/2024:02:25:28 +0000] "GET / HTTP/2.0" 499 0 "https://instagram.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
1.5k req/s passed through to the server. Any ideas on how to handle these better and stop them from passing through to the origin?
No description
4 Replies
Doxylamin
DoxylaminOP8mo ago
After further investigation it looks like the HTTP/2 Rapid Reset Attack Vector, which seems to be non-mitigated by cloudflare?
Beny
Beny8mo ago
Cloudflare is protected by rapid reset: https://cloudflare.com/h2/ Perhaps they went to the origin server directly?
HTTP/2 Rapid Reset Attack Protection | Cloudflare
Cloudflare protects against HTTP/2 Rapid Reset DDoS attacks - sign up and get protected or reach out now for immediate under attack assistance.
trentk
trentk8mo ago
You could probably mitigate at least a portion of this by just blocking most of those referers. How many people are getting referred from https://instagram.com/ ? even if you have an instagram page, the referrer isn't going to be just the homepage, right? Same thing with Amazon, Google, Facebook, etc.
Instagram
Instagram
Doxylamin
DoxylaminOP8mo ago
As you can see in the attached image, all requests are coming from CF's IP range. https://radb.net/query?keywords=172.70.47.130
Want results from more Discord servers?
Add your server