Bandwidth Crazyness

I’ve recently deployed a website on behalf on a client with Netlify. It’s not the most complex of sites but within a few days I’ve seen bandwidth use of 466.7 GB :astonished:

The website is www.apexauctions.com (please don’t all visit :laughing: ). Is there any way to tell why bandwidth usage is so high? - Is there any way netlify can advise on the cause?

Hey there, @TheJuniperStudio :wave:

thanks for reaching out about this. I wanted to assure you that our team is looking into this. A member of the Support Team will follow up once we have more information for you.

Thanks for your patience!

1 Like

Thanks for your patience while we researched! What we found is that one “type” of page on your site used 400Gb of bandwidth on its own. Here are the top 3 paths (with query string parameters stripped) on your site, with the associated sum of “bytes sent by netlify in the past week” as the number next to them:

You can see that the /auction-us/timed/items path soaked it all up.

While we looked, we saw that you had almost 9 million unique URL’s from your site during this time period - many of those item pages with different query params.

The traffic is pretty steady over the entire week, so we dug in a bit more and it seems like a handful of IP addresses are creating most of the traffic. Do you have any intended automated systems that should be accessing / scraping your site in that way?

I’ve spoken with the client and they have no internal or paid for intended scrapers that should be doing anything to the site.

Are the IP addresses available to view in Netlify Analytics? Or can you send me a list of the handful?

Is there a way with Netlify to block IPs from using all my damn bandwidth :sob:

Hi @TheJuniperStudio

We’re not able to provide the list of IPs due to GDPR and data protection policies.

But you could use Edge Functions to manage access to your site through Edge Functions.

We have an example that filters out traffic by IP. Checkout this thread.

You could then store each IP on a database and if a specific IP accesses too many times, you can simply block them.

Did that made sense?

2 Likes

I’ve used Netlify Edge functions to start logging the IP addresses causing concern. Is there a recommended way of blocking their access to the site by the Netlify team?

or is is just a case of -
if BAD-IP return new Response(‘Permission Denied: IP Logged’)

Will logging all these IP’s using edge functions cost more?

You can return something like that, assuming you know which IP to block. Take a look at this example for localized content (based on Geographic location, but you get the gist):

As for costs, Edge Functions you can check the costs for them on our Pricing Page.

Just out of curiosity, how have you been able to assess which IPs are causing concern? Do you mind sharing your logic behind this?

Thank you!

To log the IP addresses I did…

import { Context } from 'netlify:edge'

export default async (req: Request, context: Context) => {
  context.log('💻', context.ip || 'No IP')
  context.log('🌎', context.geo || 'No GEO')

  return new Response('Permission Denied: IP Logged')
}

These logs then appeared in the netlify edge logs in the Netlify dashboard.
It looks as though 1 particular IP address is spamming my website ten times every second :sob:

I’ve now changed my logging to…

import { Context } from 'netlify:edge'

export default async (req: Request, context: Context) => {
  context.log('💻', context.ip || 'No IP')

  const IPs = [...list of ips...]

  if (IPs.includes(context.ip)) {
    return new Response('Permission Denied: IP Logged')
  } else {
    context.log('🔗', req.url)
    context.log('🌎', context.geo || 'No GEO')
    return new Response('NEW: IP Logged')
  }
}

I’ have started by trying to block the IP address in Cloudflare. It’s only been 20 mins or so and at the moment the IP is still getting through with no problem, hopefully, Clouldfare will kick in soon.

So blocking this particular IP using Cloudflare doesn’t work.
I’ve tried IP Address, User Agent, Referrer, x-forwarded-for, cookie… nothing seems to work.
It’s not blocking them at all, but then Cloudflare itself isn’t actually reporting this IP coming through at all. So does this mean something is requesting the site via a server/my own IP?

The IP I’m seeing is 97.126.2.172 and the x-forwarded-for is 97.126.2.172,54.151.57.158,34.96.71.218

any help on how to resolve this would be amazing. At this rate I’ll have used all my edge function requests in a week.

OK, we can’t speak to how Cloudflare works; you’ll have to speak to their tech support about it.

What I do know is this:

When this bad actor connects to Cloudflare (as they will do if you set Cloudflare to proxy to us), Cloudflare talks to their browser, not us. Cloudflare terminates the connection. Then, only Cloudflare talks to netlify, and if you block cloudflare’s CDN nodes’ IP addresses at Netlify, your site will not work since we will not serve traffic to them and thus they will not serve traffic to your visitors.

You should not use x-forwarded-for HTTP header to see what IP connected to us, it is something we use internally. Here’s how you can tell what is connecting to you:

  1. In a Netlify edge function, you’ll use context.ip
  2. In a Netlify lambda function, you’ll use the HTTP request header x-nf-client-connection-ip which will have just the IP that connected to our CDN.

Hopefully that helps you get things blocked!

Appreciate you can’t comment on the Cloudflare service but just want to step through my process here in case I’m doing something odd…

  • At the start we used Cloudflare but DNS only, so there was no proxy.
  • We noticed a huge spike in bandwidth use
  • We used Netlify edge functions to log the context.ip (97.126.2.172)
  • We then switched Cloudflare to proxy and added the IP to Cloudflare’s firewall to block (as well as another smaller IP we spotted)
  • Cloudflare does not register any blocks on the IP at all (however does register blocks on the smaller IP)
  • The Netlify Edge function still reports the IP 97.126.2.172 hitting our site around 10 times a second - which seems strange as we now proxy.

So if the context-ip is correct, is there a way I can ban this through Netlify without using up all my edge function calls?
Also how is it possible this IP still hits the netlify edge function when we proxy through Cloudflare yet Cloudflare has no knowledge of the IP ever hitting our site? Could the spammer be calling the server direct not through the DNS?

Looking for any ideas or solutions from the community/Netlify here to help.

Thought process makes sense to me!

Except that you can’t proxy sitename.netlify.app in case they are connecting directly to that hostname, but I also can’t see them connecting to us at all since wednesday. I also see them connecting ONLY to your site, so I have asked our SRE team to block them. We usually don’t do this since this block affects all customers, but I appreciate the amount of thought and effort you’ve put into trying on your own to resolve this so I asked for an exception.

I don’t know how it could be hitting the edge function still, to be honest, but I also don’t see that happening in our logs…

I expect our SRE team will get to putting in the block next week which will be effective at blocking access to any hostname :slight_smile:

1 Like

Thank you so much for all your help @fool @gualter and @hillary

Exceptional service and support by Netlify as always.

2 Likes

FYI: Just got that IP blocked at our CDN edge for you.

1 Like