User agent "Java/11.0.10" from IPs starting from 162.158 or 141.101 crawls website aggressively

Hi,

I am having a strange issue on my website since I started to test cloudflare a few days ago. My server crashes a few times a day with one and five minutes load avarages reaching up to 100 on a 2 cpu server. Note that my load averages are normally less than 2.

After investigating the cause of the issue from my server logs, I realized that the culprit is a user agent called “Java/11.0.10” with IPs starting from 162.158 and 141.101.

Some of the IPs are:
162.158.94.167
162.158.91.156
162.158.88.7
162.158.89.63
141.101.76.175
141.101.105.119
141.101.104.200

I can see that these IPs are coming from cloudflare. The requests hit several pages on the website at once, crashing the server.

Now my questions are:

1. Are these requests coming from cloudflare in order to preload the cache?
2. What is user agent “Java/11.0.10”?
3. If the requests are not coming from Clouflare, how can I block the user agent or the IP ranges from crawling the website while allowing legitimate users to continue to access the website?

Thank you in advance.
Sadiq

You need to do this first:
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

These are not, they’ll be coming from some user probably looking for ways to exploit the site. (For example, looking for a .git folder, unprotected admin panel, etc). You should restore the IP like @sdayman sent in order to see the real IP of the user.

This comes from a program running with Java 11. They didn’t change the User-Agent so it’s the default one.

You can block the User-Agent easily in the Firewall Rules. You can also block the IP the same way (once it’s restored).

image1107×821 47.2 KB

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.