Can anyone help me eliminate unwanted traffic?

I run a two similar UK websites and for some months now Google Analytics has reported a massive growth in traffic on one of them. It all comes from the US, and when you narrow down the geography, it all comes from washington or kansas.

Looking on Cloudflare, http requests run at 5K or below all day long, except 4 times a day, at 10.30am, 4:30pm, 10:30pm and 4:30am, when they spike to somewhere between 15K and 30K, again all from the US.

I can’t see an easy way identify the IP address of the source of this traffic and block it, which I presume is the easiest thing. So the alternative is to challenge (CAPTCHA) traffic from the US to the paths where all these requests are coming, I guess. Is that right? Or rate limit (but I am not sure how many requests to set the limit at).

I would like to block this traffic BEFORE it is seen by Google analytics, but so far no joy on that front.

Any suggestions, anyone?!

Applying a CAPTCHA to US traffic could stop Google trawling your site fully if you don’t set it up right.

But first, do these requests hit your server and do you see the traffic in CloudFlare Analytics and the Firewall?

1 Like

H, thanks for replying. Yes, I did think about Google, and applied a rule to block us traffic ONLY to the two pages which were coming up in the paths on Cloudflare.

I see the traffic under requests on CF, with similar spikes in data transfer, less so on page views. Also on visits and also on API requests.

Is it hitting my server? I dont know, but I presume so. The traffic recorded on Google analytics is showing up to 10,000 users a day, which is simply not plausible for a site of my size!

With that block in place do you now see any correlation between the hits being blocked in your Firewall at the times these peaks occur?
Same IP or same User Agent etc for example?

I suspect my attempts so far have not worked - I have blocked two pages, but i see that most data in these spikes is a css file being transferred, and the two non pages being accessed are a .js page and another one that doesnt display anything.

I am not seeing a spike in Firewall events that corresponds with the requests or data transfer, which is why I think I am failing so far!

for clarity, the most common paths are two that don’t lead to pages that a normal viewer would access (ie a .js page and another one). And also the .less file (css).

Are these site critical files?

Have you tried outright blocking access to just those files and seeing what the Events log shows?

the .less file is critical for viewers, not sure about others, will ask devs now

If those 3 are the target ones then just blocking 2 (so that you get some logs showing what is hitting them) would still be useful.

Hmm - I was looking at the wrong files - when I zoom in to the spikes, the big hits are .js files which devs tell me will break the site (so I can’t block them).

Are they seeing these hit your server?
Are you not seeing any traffic be blocked in the Firewall at all? Even with the challenge?

Got devs looking at it now. Turns out that all the traffic was coming from two locations, which turned out to be via CF, so we’ve now enabled x-forwarded logging to find where it originates.

1 Like

Hi, take a look, and let me know, if you need help.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.