0

I have and https site, which for one week receives a lot of strange requests just to main web site page (+ 2 js and 1 css files, but no images). From nginx logs it looks like:

193.151.188.114 - - [02/Feb/2021:13:09:32 +0100] "GET / HTTP/1.1" 200 4992 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
193.151.188.114 - - [02/Feb/2021:13:09:33 +0100] "GET /js/jq.v.11.js HTTP/1.1" 200 36262 "https://website.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
193.151.188.114 - - [02/Feb/2021:13:09:33 +0100] "GET /css/v.11.css HTTP/1.1" 200 44582 "https://website.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
193.151.188.114 - - [02/Feb/2021:13:09:34 +0100] "GET /js/bootstrap.v.11.js HTTP/1.1" 200 52279 "https://website.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
193.151.188.114 - - [02/Feb/2021:13:09:35 +0100] "GET / HTTP/1.1" 200 4992 "-" "Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0"
193.151.188.114 - - [02/Feb/2021:13:09:36 +0100] "GET / HTTP/1.1" 200 4992 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
193.151.188.114 - - [02/Feb/2021:13:09:36 +0100] "GET / HTTP/1.1" 200 4992 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"

A lot of different IPs and seems like very old Firefox versions 56 and/or 52 even from the same IP address. This traffic is increasing from day to day and at the moment creates about 7gb per day. The server is working as normal at the moment.

What could be the reason? is there any way to prevent this?

Best regards.

Index
  • 147
  • 5

1 Answers1

0

Internet is full of scanner robots that scan your server for vulnerable URLs. if your are confident in your security you can ignore them. you can also setup a Web Application Firewall that ban IP after N suspicious scans.

another possibility is you inherited from an IP that was previsouly used on another webserver and clients are still trying the old website. (you can check that in Host header)

exeral
  • 1,787
  • 11
  • 21
  • It does not seem like a scanner. There are about 1500 IPs that are doing same. Just going to main domain page and downloading 3 additional resources (2 JS, 1 CSS) which belong to my site. URLs themself are not suspicious. I would say that User Agent is suspicious and activity itself. The thing is that the traffic is increasing each day, even though now server handles those requests without any issue at some point it may not. – Index Feb 02 '21 at 14:35