Blocking invalid traffic with 0x0 screen resolution

We noticed a sudden spike of traffic in the past couple of weeks. We though it was legit till we noticed it was only hitting the homepage and it’s all coming from the US. While it would be nice to have this amount of traffic, we felt that it’s only artificial and could be a bot attack.

Our hosting partner confirmed it coming from the US and one of our analytics partners told it the UA was all Windows using Chrome.

But there’s one piece of evidence that told us it was indeed some sort of bot. We checked Google Analytics and under the Audience by Technology section, there were screen resolutions of 0x0 and the user agent contains Windows and Chrome.

Is there a way to block visitors via WAF if users have a screen resolution of 0x0 and maybe combine with additional rules (e.g. UA contains Windows, Chrome)?

A temporary solution is we captcha US traffic, going to a page with a UA that contains Chrome. A downside is that users who don’t have patience for captchas might not return.

Is there any pattern in these requests? Which exact user agent, same AS, same IP block, etc.?

Hi Sandro,

Here’s what we know so far:

  1. UVs are coming from the US (based from Google Analytics)

  2. Browser agents mostly contain “Windows” and “Chrome”

  3. Visited page is only homepage (based from GA)

  4. Screen Resolution is 0x0 (based from GA)

  5. Direct traffic only and doesn’t go anywhere else.

I’ve attached a screenshot of what it looks like.

Mostly would mean not all. What are the others? How many different user agents is it? Can you post a list?

Also, what about their IP addresses? Completely random? Can you post a few of them?

Have you tried a JavaScript challenge instead of a captcha? That might also stop them while being less of a hassle for genuine visitors.

We filtered first all the screen resolutions of 0x0. So all of them have user-agents containing Windows and Chrome. Google Analytics does not have IP addresses for privacy reasons. The spike in traffic are completely random. If you look at the last graph I posted, there’s a shadow graph behind it. That represents the previous week’s traffic.

We’ll try tomorrow the JS Challenge option. If we still see screen resolutions of 0x0, then we’ll have to go back with Captcha.

My worry with JS Challenge is that the bot might be using a JS compatible headless browser like headless Chrome:

Can you list them?

Log files? If it is mostly from the same IP block or AS it is trivial to block them.

True, if the use something with JavaScript support they might be able to pass.

you need to look at your server logs and find info about this requests… it may be a legal bot you don’t want to block, your server probably have nginx or apache installed and probably has requests log turn on.

if you don’t have logs you can use cf worker to send logs containing all relevant info and analyze them

Sample IPs:

2600:1700:cad0:35f0:3d75:c609:5d0d | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

2601:cb:8200:3960:5880:70a2:b90:e36 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

72.86.46.120 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

2601:602:cd00:685a:f5da:8a3:3185:735 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

100.35.214.164 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

69.121.30.56 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/7.8.1.106 Safari/537.36

98.165.16.82 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

2600:1700:eb00:e380:d83c:40a:58:df14 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

if you don’t have logs you can use cf worker to send logs containing all relevant info and analyze them

This is interesting. Since CF Worker uses JS, can I theoretically check if the screen resolution is 0x0 and if so, redirect it to limbo or itself?

Alright, I am afraid they dont seem to have much in common which could establish a hard block. There is neither a common pattern in the user agents (apart from Chrome of course) nor in the origin of the requests (IPs and AS’es wildly differ).

What I noticed though is it seems these connections come from actual ISPs and not datacentres. That would speak against traditional crawler or scrapers and more for a sort of botnet.

If they still visited subpages I’d even consider assuming they might be genuine visitors who have some sort of privacy extension installed which fakes the screen resolution, however if you say they only request the main page and stop there we can probably rule that out.

In the first step I’d probably try the JavaScript challenge. If this still does not block them you could try to increase the security level and play a bit with firewall rules, especially cf.client.bot and cf.threat_score.

If all of that does not work you could fall back to some server-side implementation where you actually check for the resolution.

No, Cloudflare uses JavaScript as a language, but it still runs in a server-side context. You would need access to a browser environment where you can run such a test.

just to add a bit to what sandro said… there is still some things you need to check, maybe they have common refer? maybe they have common x_forwarded_for? does each ip hit your site in specific interval? how many times per minute\hour? how many ip actually hitting you with this behavior? if you will examine the full logs a little more you could find some pattern.

you can for example add cookie in js to visitor with 0x0 screen and block them with the firewall by the cookie

This topic was automatically closed after 30 days. New replies are no longer allowed.