I've started getting Requests for lots of unknown domains


#1

I’ve been using CF for a while now with no issues but the last few days my server has been pinned at 100% CPU and disk usage. Upon inspection I noticed that it was also doing 30mb/20mb on the network interface. I checked the access logs for my nginx server and its going absolutely crazy. I’m getting requests from lots of different IPs to sites like;

rabb-it.top
bet665.com
vk.com
ukrainianpapers
williamhill.com
domovok.com

All 301 responses.

I noticed that most of these domains seem too use cloudflare for their dns. I’m getting in the region of around 150-200 requests a seconds which is much more than I expect.

I’m just a little bit stumped. I’ve also asked my server provider the same questions but I can’t seem to get to the bottom of it. It doesn’t seem malicious and looks like requests are just getting bounced off my server.

Any help is greatly appreciated. Thanks


#2

What does this exactly mean?

This comes from your server.

Can you post a log excerpt?


#3

I’m not even sure there’s a way to block this upstream. If they’re using Cloudflare DNS, then they’re probably going through Cloudflare, just like legitimate requests.

I suppose one could block Port 80 and let requests fail due to SSL instead, though I’ve not tried this.


#4
149.28.123.197 - - [16/Mar/2019:17:50:38 +0000] "CONNECT www.hibbett.com:443 HTTP/1.0" 400 173 "-" "-" "-"
94.103.95.181 - - [16/Mar/2019:17:50:39 +0000] "CONNECT proxychecker.unne.ru:443 HTTP/1.1" 400 173 "-" "-" "-"
2.100.248.171 - - [16/Mar/2019:17:50:47 +0000] "GET http://update.utorrent.com/checkupdate.php?s=1&cl=uTorrent&v=111783512&qv=111783512&l=en&svp=4&svn_revno=44632&tk=stable34&cmp=290&ocmp=290&ttaP=11&ttdP=24&period=8&sids=33,32,0,0,0&lv=0_0_&def_tor_changed=0&c=US&w=42EE000A&h=05oSp5Rwp5iXaqJw&mts=31&tor_all=7&tor_down=7&tor_in=7&tor_nl=7&ttt=403&tta=145&tdu=18&tco=3&ttd=382&ttc=230&gnc=233&trc=1&prc=318968&flc=1&spc=6&nat_state=255&pc=8&pt=h&sctl=1&shdi=1&def_tor=1&w64=1&doainstalled=0&ie=9.11.17134.0&xim=1&insvr=111389996&sss=3&rsb=377&rtsb=1710506105&view=win32&cmp=290&ocmp=290&db=chrome&plus=1&adc=1&ch_up=1?fg=319209000&t_upP_=1338358180194&t_downP_=30647463118053&t_up=31351721573&t_down=716864991299&mt=141307802883&ssb=36501960&ssu=11680975560&xseq=119&cau_time=0 HTTP/1.1" 301 185 "-" "BTWebClient/354S(44632)" "-"
178.217.66.226 - - [16/Mar/2019:17:51:12 +0000] "GET http://chekfast.zennolab.com/proxy.php HTTP/1.1" 301 185 "RefererString" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"

Lots of these.

Its almost as if my nginx server is being used as someone proxy. Any ideas of how to diagnose or fix this? It’s absolutely destroying my server.


#5

They do, or at least attempt to do. The CONNECT requests fail straight away whereas the regular proxy requests seem to be recognised as local request (ignoring the FQDN) and get a redirect, which probably is because of your configuration.

Are you sure these requests come through Cloudflare and do not go straight for your server? I’d usually expect Cloudflare to block such a type of request, but who knows :slight_smile:


#6

Considering those domains all use Cloudflare name servers, I’m guessing they’re coming through Cloudflare.

Again, I’m not sure how one could deflect misdirected requests that come through Cloudflare. Maybe @cscharff can offer a suggestion.


#7

Do they? Only zennolab.com seems to do and hibbett.com seems to be on a partner setup. To me it still seems like regular HTTP/SSL proxy request.

Did I miss anything obvious?


#8

OP said “most.” (I thought “all”, so I checked back)

Blocking non-Cloudflare routed requests is easy: Firewall anything that doesn’t come from Cloudflare IPs.

But what about the ones that do come through Cloudflare?


#9

It rather seems (almost) none :smile:

That would be the first thing to establish.

Question is, do they actually come through Cloudflare? If they do, the CONNECT method could be blocked any possibly request URLs which do not contain a path but a full-fledged URL, but not sure if that is possible under firewall rules in the first place.


#10

Firewall rules only apple to the domain/zone you’re working on. If requests are coming through someone else’s Cloudflare account, it seems you’re out of luck. I guess one could hound Support to remove domains that incorrectly point to your server, but that’s labor intensive and prone to abuse on shared servers.


#11

The requests do go through the OP’s domain in this case, they simply target a different URL in the request, which is perfectly valid for a proxy setup.

I just ran a quick test and it seems there is no way to address request URLs of this type with firewall rules.

I’d contact support - or even better - pester @cscharff :slight_smile:


#12

One thing, it seems CONNECT requests are blocked by Cloudflare, which would really make me wonder if these requests go through Cloudflare at all. At least the CONNECT ones. @th0rn0, you should check that.


#13

Thanks for the help all

I’ve gone ahead and added that list of IPs too my servers firewall and only allowed port 80 and 443 on those ports (there are others open for servers that dont resolve through CF).

Quick 5 min check and it seems to have stopped the major of the requests.

So am I right in thinking that it’s not a cloud flare issue if this is the case? I’ll keep an eye on it and report back in a hour or so.

Again thanks for the help - much appreciated


#14

Everything seems normal for now. Access logs arent going crazy. Thanks again


#15

Another consideration is what comes after the, in your case, GET requests - checkupdate.php?* & proxy.php. In my own case I received multiple POST … php attempts using not only intended malicious POST attempts to my site via .php coding but also a few very offensive (think racist) xxx.php wordings. One would think the offender would give up after an hour or two, but they tried on and off for approx 4 hours. Fortunately I had a Firewall Rule set up to block POST, among other, requests not going to my absolute URL via https. I’ve since bought the Pro Plan for better Firewall management via the WAF though I do still rely on certain Firewall Rules. :slightly_smiling_face: