Lots of "\x01" logs in nginx access log, crashing it ultimatelysec

I get a lot of requests like this in nginx access log from different ip addresses:

  • {redacted} - - [11/Nov/2021:20:29:13 +0330] “\x01” 400 150 “-” “-”

  • {redacted} - [11/Nov/2021:20:29:13 +0330] “\x01” 400 150 “-” “-”

  • {redacted} - - [11/Nov/2021:20:29:13] “\x01” 400 150 “-” “-”

  • {redacted} - - [11/Nov/2021:20:29:13] “\x01” 400 150 “-” “-”

  • {redacted} - [11/Nov/2021:20:29:13] “\x01” 400 150 “-” “-”

  • {redacted} - - [11/Nov/2021:20:29:13] “\x01” 400 150 “-” “-”

  • {redacted} - - [11/Nov/2021:20:29:13] “\x01” 400 150 “-” “-”

These don’t even have a HTTP verb. My servers are behind cloudflare and are proxied. I expected that cloudflare would intercept these kind of requests, but they are delivered to nginx and it crashes after a while, more over, my servers loose their network access, maybe because of the flood of requests, for some time, until they are back online again.

Can anyone please help me or guide me how to fix this?

None of those IPs are in Cloudflare’s range. It is likely that someone is hitting your server by IP directly.

One thing you could do is set up authenticated origin pulls . This means that nginx would block all requests that aren’t signed by Cloudflare.

If you wanted to go more extreme you could firewall all IPs except Cloudflare’s. The only catch here would be making sure that you keep the IP ranges up to date.

3 Likes

If the server is properly configured to restore visitor IP addresses, then NGINX logs shouldn’t show Cloudflare IP addresses.

You might want to try to enable Normalizing URLs:
https://developers.cloudflare.com/rules/normalization

Beyond that, you’d have to go through the normal process of blocking unwanted traffic, as in Step 3 of this tutorial:

3 Likes

Thank you very much. Your quick reply helped me a lot. I think you are right about the attack being made directly to the server and bypassing Cloudflare. I ended up firewalling all IPs except Cloudflare’s.

Thank you for your help. You are right about NGINX logs and restoring visitor IP addresses. Those samples are IPs of visitors. Normalized URLs didn’t help in this matter, since these requests were not even a valid HTTP request.

However, thanks to you, I learned a lot from the link that you provided and was able to mitigate this issue.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.