URI query string being rewritten

This is sort of a general question to see if anyone here has seen or has experience with anything similar to what I am seeing.

Over the last few weeks my company’s website has seen a huge surge in traffic, all from Microsoft’s ASN8075 network. This traffic comes as a result of our daily newsletter to our customers and in nearly every case the URI query parameters have been re-written - the Google Analytics utm_ variables are all made into gibberish and, more annoying, the page= variable that is pretty necessary for our site to function properly has also been re-written, always to a similar nonsense string, for example instead of page=“Register” we see in the request logs page=“Vafgehd” or page=“Eftvfgfe”.

I suspect it’s some kind of automated link scanner - I have created a few firewall in Cloudflare to mitigate this - interestingly if I set the action of the firewall rule to JS Challenge it shows it gets solved nearly 30% of the time but if I change it to a CAPTCHA Challenge then the solved drops nearly zero.

I’m at a loss as to where this is suddenly coming form, if I should be worried about it, if I should be allowing the traffic, filtering it or outright blocking it. Has anyone else ever seen this or have any ideas about what it is or how I should handle it? I’ve reached out to Microsoft’s abuse contact and haven’t heard anything back which doesn’t really surprise me.

Hi,

This behavior has all the signs of malicious activity. Never mind trying to understand what they want to accomplish (other than make your server spend resources with a large number of 404 responses).

If you have a liminted number of legitimate page= parameters, you can add them in a Firewall Rule like:

If URI Query String does not contain … then challenge.

Same thing for the utm_ parameters.

Also, you may want to create, even if temporarily, a very simple 404 page, perhaps with just the word 404. In an Apache server, you could try adding to the .htaccess file:

ErrorDocument 404 404

Checking your Firewall Events log, do you see other ASNs that are repeatedly used? You can create a rule to challenge requests coming from ASNs as well.

1 Like

Thank you for the reply! My initial thought was that it was malicious as well, but the fact that it all comes from Microsoft’s ASN (granted it’s their peering network so could be anyone) and the fact that I know about 80% of our customer base uses Microsoft for their email and security, it just made me want to really make sure before I start blocking traffic. I obviously don’t want to put in some restriction that blocks or makes it inconvenient for our customers to visit our site. So had to make sure.

I do have a limited number of legitimate page= parameters so could put in a rule like that. Do you know if that would block traffic when there are no parameters? Like if they just visit our home page? “Not equal” rules always make me nervous

A little bit of inconvenience in the form of Captchas is nowadays part of the experience in navigating the web, unfortunately. It’s very hard to pinpoint only malicious requests and never catch legit visitors with the same net. But you should definitely use Challenge (Captcha) instead of outright block. Legitimate visitors may copy an paste URLs from somewhere and have the parameters somehow truncated, which would result in Captcha, but I find the odds of that happening very small. Monitor the Firewall Events log and adjust the rule accordingly.

If you use the URI Query String field in Firewall Rules, it won’t block any request that does not contain a QS.

https://developers.cloudflare.com/firewall/cf-firewall-language/fields#standard-fields