Multiple Request logs on IIS web log


#1

We have F5 and virtual servers… we implement cloudflare couple of weeks back… Now we are observing some intermittent spike in nubmer of connections to application server. when I analyze IIS logs… i found many identical requests in single seconds for one sessionid. (so say in 9 to 10 seconds … there could be 60 or 70 identical requests… same URL, same session_id)…

do anyone know where to look ?

Here are sample requests (there are many in this time stamp )-

2019-02-21 17:03:54 W3SVC1 Web9 10.2.3.1 POST /admin/Customer.aspx - 80 - 212.67.150.94 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/72.0.3626.109+Safari/537.36 __cfduid=dfpois4f4976771ed1ff951565432187;+BIGipServerct-pool=6598874521.32567.0000;+BIGipServersite.sitess.com=2149888522.20480.0000;+ASP.NET_SessionId=3ds43sdk3oc0em1mvz53ovw https:site.sitess.com/admin/Customer.aspx site.sitess.com 302 0 0 584 2500 125 204.185.86.249

2019-02-21 17:03:54 W3SVC1 Web9 10.2.3.1 POST /admin/Customer.aspx - 80 - 212.67.150.4 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/72.0.3626.109+Safari/537.36 __cfduid=dfpois4f4976771ed1ff951565432187;+BIGipServerct-pool=6598874521.32567.0000;+BIGipServersite.sitess.com=2149888522.20480.0000;+ASP.NET_SessionId=3ds43sdk3oc0em1mvz53ovw https:site.sitess.com/admin/Customer.aspx site.sitess.com 302 0 0 584 2500 593 204.185.86.249


#2

Those appear to be post requests… so login attempts perhaps? You might look at rate limiting to protect the site from brute force login attempts.


#3

These are the pages… that process after the login… we saw this behavior (multiple POST request on web server by single asp.net session) when the load is little high.

We are pretty sure that user isn’t processing these from UI … as after one request there will be a delay of atleast 2 -3 seconds to get another request from same user… its either cloudflare that sends multiple request to our F5 domain… or F5 that sends multiple request to web server…

we never had an issue with F5 in past… we observed this behavior only after implementing cloudflare.


#4

Unless you’ve written a worker to cache PUT requests, I don’t see how it could be Cloudflare. Do you have a lot of legitimate users for your website coming from the University of Missouri?