question

JonBrown-9572 avatar image
0 Votes"
JonBrown-9572 asked BerndHesse-1550 commented

High traffic from Microsoft ASN

First, I apologize if this isn't being asked in the right place, I can't really find a good fit for where to ask this question. This is sort of a general question to see if anyone here has seen or has experience with anything similar to what I am seeing.

Over the last few weeks my company’s website has seen a huge surge in traffic, all from Microsoft’s ASN8075 network, and hundreds of different IPs. By huge, I mean 10x our normal traffic, nearly 100k requests per day which is enough to shut down our site. This traffic comes as a result of our daily newsletter to our customers and in nearly every case the URI query parameters have been re-written - the Google Analytics utm_ variables are all made into gibberish and, more annoying, the page= variable that is pretty necessary for our site to function properly has also been re-written, always to a similar nonsense string, for example instead of page=“Register” we see in the request logs page=“Vafgehd” or page=“Eftvfgfe”.

I suspect it’s some kind of automated link scanner - I have created a few firewall rules in Cloudflare to mitigate this - interestingly if I set the action of the firewall rule to JS Challenge it shows it gets solved nearly 30% of the time but if I change it to a CAPTCHA Challenge then the solved drops nearly zero.

I’m at a loss as to where this is suddenly coming form, if I should be worried about it, if I should be allowing the traffic, filtering it or outright blocking it. Has anyone else ever seen this or have any ideas about what it is or how I should handle it? I know that about 80% of our customers use Microsoft for their email and security and, since the traffic is coming from Microsoft and from multiple IPs I don't want to block anything that might be legitimate or make it inconvenient or difficult for our customers to get to our site.

azure-virtual-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered BerndHesse-1550 commented

JonBrown-9572, With this information that you have provided, we will not be able to suggest any action at the moment. Better to raise a support ticket and share information such as the list of IPs from where you started receiving traffic, what MS services you are running in your environment to further investigate.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Seeing this randomly too in our apache logs. Last occurance was 2022-01-14 09:54:34:
Remote-IP: 51.107.43.35 ("AS8075 - Microsoft Corporation")
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
GET /?cl=eftvfgfe&fnc=dbaavezEftvfgebgvba...
The parameter names exist, but the values are garbage (but atleast "eftvfgfe" seems to be reoccurring)

Probably some proxy/VPN running on that ip that someone is using for automated scans...

0 Votes 0 ·