WAF Blocked 480k requests from signing.cloudflarepackager.com. What is this?

Hi There,

In the last 24 hours, WAF blocked 480k (and counting) requests from signing.cloudflarepackager.com to mywebsite.com/transform

Does anyone knows what is this about? Is it related to AMP Real URL?

1 Like

That “Host” field is supposed to be your end, not the “attacker.” So it’s interesting that it’s showing up in your firewall log. Yet the source IP address is Cloudflare…but ASN is Google.

That’s all kinds of weird. Maybe an @MVP can decipher this.

1 Like

I saw the same in my own logs earlier. I sometimes see hostnames in my ELS logs that are not mine, but this one is pretty big. I assumed it was related to signed exchanges, and did not pay much attention to it.

Started with a burst between 11:00 and 15:15 on the 25th, then started a ramp up just after midnight on the 26th, and has being going solidly ever since. Peaks at 21:00, but drops off overnight. (Times are BST)

I also see related log entries for signing.cloudflarepackager.com/keyless, again POST requests from Google, no UA, same IP etc., but with a 200 status code.

This looks like AMP Real URL feature related, it uses Signed HTTP Exchanges.

100173 was recently updated https://developers.cloudflare.com/waf/change-log/2020-09-07/ maybe buggy ?

1 Like

It’s still happening today. 420k in the last 24h

Screen Shot 2020-09-29 at 13.39.23

BTW: i have AMP Real URL enabled since the beta release, and it never worked for us. Our site’s URL in Google/Discover/News always shows as “site-com.cdn.ampproject.org

Does your site have enough content to generate 420k/24h requests from a Google Bot crawler?

I guess… here is our search console stats (pages crawled per day):

Screen Shot 2020-09-29 at 21.07.09

Why do you ask?

I’ve opened a ticket in relation to my own domains with this issue. 1988215. Will update when I hear anything.

3 Likes

I see that issue on one domain, but because the content is small, the crawler came two times.
So I couldn’t validate as the Google Crawler, with your data that is almost sure.

1 Like

In a holding pattern on my ticket:

Thank you for contacting Cloudflare Support.

Thanks for the report. Upon review, I’ve raised this internally with our teams regarding the service making these requests.

We will keep you posted with any updates.

2 Likes

Our engineering team is investigating the cause of the requests. At this time we do not have an ETA on when a resolution will be made, but will keep you updated on the progress.

I will mark this as on-hold for now.

Might be related:

https://community.cloudflare.com/t/amp-real-url-rate-limiting/209967?u=michael

2 Likes

It looks like it.

The number of firewall events is dropping off, seems to be in line with the deployment of the fix mentioned in the Amp Real URL Rate Limiting issue.

Saw a similar issue in my domain.

But, Last 24 hours i see a downturn in number of event.

Thank you.

The events in my firewall log dropped to zero in line with the status updates, and my ticket has been closed. I’m curious what the root cause was.

3 Likes

The events dropped here, too.

Just one more thing, this error may have affected our traffic. Our mobile traffic (mainly from google discover) is low since october, 25th. And here is our Search Console report for AMP pages.

Hoping this could fix the issue.

Google indexer having some issues, which might be related.

1 Like

Here we go again…

Screen Shot 2020-10-10 at 00.29.41