Block/Throttle Empty GET Requests HTTP/1.1?

Hi,
I don’t know if this is a bug or what to say…

I noticed recently that I am getting attacks by online stresser which is directly bypassing Cloudflare and killing my server by sending traffic with Empty GET Requests HTTP/1.1 from multiple proxies.

I found a way to block it, but problem is that it is also blocking my normal browser when trying to GET data from specific page.

Is there a way to block Empty GET Requests HTTP/1.1 only without blocking unknown crawlers or normal GET Requests ? Also is it possible to throttle connections without need to throw captcha challenges ?

I don’t know if it is possible from my side with Lighttpd to throttle these requests but it seems not to work

env.SERVER_PROTOCOL == "HTTP/1.1" {
throttle.max-concurrent-connections = 3
throttle.bucket-size = 300
throttle.tokens-per-second = 1
throttle.ban-when-empty = 1
}

Also mod_evasive seems useless.

Here is my rule that I tried.

(not cf.tls_client_auth.cert_verified and http.request.method eq "GET" and http.request.version eq "HTTP/1.1" and ssl and not cf.client.bot)

Throttle.
Check CF rate limit.Rate Limiting | Advanced Network Rate Limiting | Cloudflare

Regarding the empty GET requests, do you have browser integrity checks enabled? can you show us your firewall logs?

Do you have a firewall on your Origin that only allows traffic coming from Cloudflare?

What is an Empty HTTP request?

Tried all options, but reverted to my custom needs because I can’t be abusing users with captcha so I disabled browser check.

After my websites getting stressed , I Managed to get my hands on this stresser and found it to test and it seems to bypass Cloudflare, only under attack mode blocks it.
Browser check and other options are useless, I am sorry to say that.
Only rule above blocked it but it is blocking normal GET Requests, hope there is options in firewall rule to throttle

Here is 1 of the logs, there is 15K from different IP Addresses.

Ray ID

`68e323e1dea45233`

Method

GET

HTTP Version

HTTP/1.1

Host

mydomain.com

Path

/

Query string

Empty query string

User agent

Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15

IP address

36.90.131.235

ASN

AS7713 TELKOMNET-AS-AP PT Telekomunikasi Indonesia

FilterExclude

Country

Indonesia

it seems to bypass Cloudflare, only under attack mode blocks it.

What a peculiar and limited bypass.

Browser check and other options are useless, I am sorry to say that.

They aren’t, the request you show in that log is perfectly valid and could be very well generated by a browser.

Tried all options, but reverted to my custom needs because I can’t be abusing users with captcha so I disabled browser check.

However, the browser integrity check can’t possibly affect a legitimate browser, at least not under normal scenarios. The integrity check is rather simple and checks that values such as the HTTP version and user-agent are valid and present.

The request you posted is alright but its quite restrictive given that many users still run under HTTP 1.1, consider adding more parameters such as the path, threat score or the missing headers on the requests.

I have already tried everything but still can be bypassed because it looks valid request.

My CF Rule works good but blocks normal GET Requests via Browser TO FETCH data, anyway Cloudflare must add rate-limiting options with other options available ALLOW-BLOCK - Challenge.

So instead blocking we will be throttling firewall rules.

(not cf.tls_client_auth.cert_verified and http.request.method eq "GET" and http.request.version eq "HTTP/1.1" and ssl and not cf.client.bot)

Still couldn’t find good way to block these kind of attacks, maybe can try to figure it out with lighttpd.

Thank you :slight_smile:

Check this guide:

Also, check the documentation of the firewall rules:

https://developers.cloudflare.com/firewall/cf-firewall-language/fields

The attack you are receiving, at glance from that log, isn’t enough to properly diagnose an attack pattern, however, you can just check if they miss any other common HTTP header and check against that.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.