New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CloudFlare Analytics Empty Requests in Content Breakdown
Recently, there's been an influx of "traffic" that I'm getting and the content breakdown, according to cloudflare's analytics, is "empty". According to CF, it means "there was either no content type header or the content header was empty."
I'm wondering how this happens. Is someone making DNS requests and then not doing anything after that? Are they trying to establish a TCP connection to the site and then dropping it without the proper response? I don't think this traffic is hitting my web server because I don't see it in the web server logs. Is there any way to block these IPs or at least see these IPs that are causing the "empty" response from CF?
Comments
Does it matter much if CF is dealing with it?
I'd like to know why it's happening more than anything. Today I nearly got 700k empty responses.
Port scan perhaps? it'll happen somewhere in between connect() and the client not sending a properly formed HTTP request. i.e. probably nothing sent. You would probably see it in your web servers error log if the request was direct to you.
Are you running Apache? The slowloris denial of service works with similar behaviour, apparently. As ishaq says, probably not worth thinking about too much if CF is dealing with it for you.
700k is large, sounds like a botnet. Do you have the option to contact CF support?
I'm running nginx. Maybe CF only forwards "valid" HTTP requests? I suspect it's some sort of botched HTTP connection as well.
Sounds like your service won't be affected then. That's a lot of requests though.
If it's indeed something like slowloris and targeted to you, pretty dumb as it's ineffective (not sure if they can even verify if the requests are making their way to your server). I've never used CF so unsure how co-operative their UI and support will be.
Have a lot of empty requests when L7-attacks come in.
Example:
Gosh tr1cky stop ddosing cloudflare with l7 attacks.
I usually don't DDoS myself. Just noticed this, somebody probably tried to take down one of my sites yesterday.
Ohh so then we can infer you ddos others? Lovely....
Mine doesn't look like that, the orange line remains at the expected, constant value.
Only 700k responses? Well, this is what I've been dealing with the past few days:
When you get attacked, the number of cache requests goes up dramatically, mine doesn't look like that.