While checking the logs of my GAE flask app, I noticed that from June 3rd through June 10th there was a spike on traffick, which is highly unusual for my website.
I checked the logs and found the reason for that were 3 IP addresses:
I have posted the requests on a
gist HERE for the last one with 1392 requests.
ipqualityscore says that this is a proxy based from russia, actually the 3 ips in question are from the same data center, and Ip Quality score has it on a 99 Fraud Score while
scamalitycs shows nothing wrong, maybe because is a VPN or something of the likes.
According to the logs the first request was at 2022-06-04T08:50:45 with the last on that time frame was on 2022-06-10T01:03:42, so it was not a DOS attack, times between request were as long as 46 minutes and as frequent as 1 second in between.
What was that? Was my site being attacked? Or maybe just a someone playing a penetration tester?
There were 1273 unique endpoints as listed in the gist above, 98% of them returned a 404. As of today 27+ days, my site has 486 hours usage, during the time frame for this hits, was 214.
That raised my bill by US$0.95, is not much but since I do not have traffic on my site I usually pay nothing for it. Of course, if I had more traffic, I wouldn't have noticed this.
It was only for close to 6 days if it was to be more frequent is just raising the bill for nothing.
How can you protect against this?
Best Regards