Our website operates on Cloudflare’s Business plan.
Recently, we have detected that our website gets a large number of visits which, according to our research, are junk visits. These junk visits skew our third-party and in-house tracking reports.
Here are the main characteristics of those visits:
- The user agent is “Mozilla/5.0”, which is not a common user agent for legit clients.
- They have no referrer page
- No cookies
- They come from 2 specific ASN’s (both from Amazon)
- All of them are GET requests
- They come from different countries
We have tried to mitigate those visits with a firewall rule by imposing a Managed Challenge to them. It did not work.
Here is an example of the WAF rule condition:
(http.request.uri.path contains “xyz/xyz” and http.user_agent eq “Mozilla/5.0”)
We also imposed a Browser Integrity Check and “Security Level: High” rule to those requests via a Page Rule. It also did not work.
My questions are:
- Why was Cloudflare not able to detect and mitigate those visits without (or with) a WAF rule in the first place?
- Do you have any advice on how to deal with these junk requests?
Really!? The user agent string for Firefox 115.0.2 is
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
This means nothing. Any request can have no referrer if the
Referrer-Policy header is set to
Well, browsing a website is usually done with GET, not PUT or DELETE.
So you only ever have people from one specific country browsing your site?
Unfortunately people do set up crappy stuff on AWS.
Have you tried simply blocking/issuing the challenge to the specific ASN(s)?
I believe the OP meant the user-agent only refers to Mozilla
As for the other issues, I think he did not mean that each individual was an issue, but only listed common request parameters.
Mark that down and another thing I misunderstood. I make an unfortunate habit of that at times.
Thanks for explaining this to “the”.
These are junk visits and I just wanted describe their characteristics.
By the way, the user agent is just “Mozilla/5.0”. Do you know this as a legit User Agent? As far as I know it should contain more information (i.e. OS info).
Yes, people do set up crappy stuff on AWS, but I was expecting Cloudflare to detect this behavior one way or another. I am not complaining, this was just my expectation on a paid account.
I will discuss the rule you proposed with my colleagues and get back.
I was just hoping that Cloudflare’s technology would be able to detect these junk traffic automatically.
Any more ideas on that?
Thank you for your time and willingness to help.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.