App gets a lot of requests from same IP in one second, looks like atack

Question

My app MERN in hosted on Heruku. I see a lot of requests running in the console (heroku logs --tail)in the same second, looks like they are automated.

Requests have weird things inside. Example is path="/get-spot-by-type-key?key=ifIJnFkezs2v4X**.php**&type=business" "if" and "php" is something we don't have usually. All requests are from the same fwd.

How to block them?

Answer 1

Looks like you are being scanned by some attack proxy. There is no easy solution around it I believe. Or better to say - the solutions may have side effects. You can:

1. Blacklist the IP address accessing your resources. PRO: easy CONS: it is easy for an attacker to switch to some other IP via proxy/tor and you can exclude some valid users this way.
2. Blacklist the payload or parts of it. Since this is a scan the payload will change all the time so this will be lots of futile work.

If your website offers resources to authenticated users only - blacklist the user. (ok, this might be actually quite simple but works under certain conditions)

There are other solutions you may want to use like showing users some captcha when you recognize unusual traffic, but they require a bit of implementation effort.

Also you may want to consider hiding your server behind cloudflare or similar and let someone else handle the security response.