We get a significant amount of traffic in which the User Agent String is completely empty. Often, these requests are engaged in SQL Injection attempts, but not every one of these requests is detected as SQL Injection because the requester intersperses legitimate requests into their stream.
Do you recommend that we create a Firewall Rule that will block all traffic which has an empty user agent string? Is that a good idea? Are there legitimate examples in which HTTP/HTTPS traffic would have a completely empty user agent string? Or should we use “User Agent Blocking”? (Not sure if one can create a user agent blocking rule for empty user agent strings.)
I suppose if we created such a rule the perpetrators would simply add some (random) user agent string to their page requests?
What do other Cloudflare experts do to handle this?