I've been dealing with unwanted traffic hitting my web servers, and it's all coming from Microsoft IP addresses. When I block one IP, they just switch to another (I feel like they're hopping around since Microsoft owns so many IPs). This traffic doesn't resemble what a Bing bot would do, so I'm really puzzled. For example, I've noticed many requests returning 404 errors, but they come through rapidly enough that it feels like a denial-of-service issue. I'm curious if anyone knows more about what this traffic could be or how to effectively manage it without blocking massive ranges of IPs.
4 Answers
Yikes, that's around 5 requests every second! Honestly, at that rate, you might want to consider a service like Cloudflare to filter out the bots. They can really help manage traffic and improve your server's resilience against these types of attacks.
The 404s you're seeing are definitely from the block list I set up. Before I started blocking, it was way worse!
This traffic looks suspiciously like DNS requests, or could it be a wrong proxy configuration redirecting requests to you? Just a thought, but I'll be following this thread to learn more!
Nope, looks like it's a misconfigured proxy to me. Definitely something to investigate!
You might want to add something like mod_qos to your setup. This could help prevent this kind of flood from happening.
Checked out the IP and it seems like someone might be using Microsoft Azure for bulk scanning. It definitely sounds like there's some malicious activity going on here. Good luck getting that sorted out!
Yeah, I wouldn't be surprised if Microsoft cracks down on whoever is dragging their IP reputation through the mud.
Maybe you should check if your web server is super low-spec or something? It sounds like a lot of requests for just one instance.