Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


CloudFlare Analytics Empty Requests in Content Breakdown
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

CloudFlare Analytics Empty Requests in Content Breakdown

blackblack Member

Recently, there's been an influx of "traffic" that I'm getting and the content breakdown, according to cloudflare's analytics, is "empty". According to CF, it means "there was either no content type header or the content header was empty."

I'm wondering how this happens. Is someone making DNS requests and then not doing anything after that? Are they trying to establish a TCP connection to the site and then dropping it without the proper response? I don't think this traffic is hitting my web server because I don't see it in the web server logs. Is there any way to block these IPs or at least see these IPs that are causing the "empty" response from CF?

Comments

  • IshaqIshaq Member

    Does it matter much if CF is dealing with it?

    Thanked by 1GCat
  • blackblack Member

    I'd like to know why it's happening more than anything. Today I nearly got 700k empty responses.

  • Port scan perhaps? it'll happen somewhere in between connect() and the client not sending a properly formed HTTP request. i.e. probably nothing sent. You would probably see it in your web servers error log if the request was direct to you.

    Are you running Apache? The slowloris denial of service works with similar behaviour, apparently. As ishaq says, probably not worth thinking about too much if CF is dealing with it for you.

  • IshaqIshaq Member

    700k is large, sounds like a botnet. Do you have the option to contact CF support?

  • blackblack Member

    ricardo said: Are you running Apache? The slowloris denial of service works with similar behaviour, apparently.

    I'm running nginx. Maybe CF only forwards "valid" HTTP requests? I suspect it's some sort of botched HTTP connection as well.

  • Sounds like your service won't be affected then. That's a lot of requests though.

    If it's indeed something like slowloris and targeted to you, pretty dumb as it's ineffective (not sure if they can even verify if the requests are making their way to your server). I've never used CF so unsure how co-operative their UI and support will be.

  • Have a lot of empty requests when L7-attacks come in.

    Example:

  • MunMun Member

    Gosh tr1cky stop ddosing cloudflare with l7 attacks.

  • @Mun said:
    Gosh tr1cky stop ddosing cloudflare with l7 attacks.

    I usually don't DDoS myself. Just noticed this, somebody probably tried to take down one of my sites yesterday.

  • MunMun Member

    @tr1cky said:
    I usually don't DDoS myself. Just noticed this, somebody probably tried to take down one of my sites yesterday.

    Ohh so then we can infer you ddos others? Lovely....

  • blackblack Member

    Mine doesn't look like that, the orange line remains at the expected, constant value.

  • XPEricXPEric Member
    edited March 2016

    Only 700k responses? Well, this is what I've been dealing with the past few days:

  • blackblack Member
    edited March 2016

    When you get attacked, the number of cache requests goes up dramatically, mine doesn't look like that. image

Sign In or Register to comment.