0

We have just deployed a new asp.net site on IIS server. Now we started receiving a lot of requests with a header

Amazon+Route+53+Health+Check+Service;+ref:<code>;+report+http://amzn.to/1vsZADi

We haven't setup any health checks and we are not using amazon services at all. Interestingly all requests are not to the domain but to ip.

We have filed a request to stop these checks here https://aws.amazon.com/forms/route53-unwanted-healthchecks and now waiting for the response.

Our initial thought was to send 403 when the user agent matches Amazon+Route+53+Health+Check+Service string. But it seems that wouldn't stop the checks: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-creating.html

Has anyone else experienced this? Is there any way to stop these requests?

Edit 1: So far (10 days) no response from Amazon and health checks are still coming in. I will try to block the IP ranges (see the answer below) to see where is it going to blow.

mai
  • 111
  • 6
  • You could ask the upstream provider to drop them, but there is quite a range of IPs that perform the check. For some reason Amazon don't require and domain validation for webchecks – Drifter104 Feb 11 '16 at 11:40
  • Yes, I just checked. Out of 10 requests 8 came from different IPs – mai Feb 11 '16 at 11:50

2 Answers2

2

I have every confidence that AWS will respond to your request and remove the checks. Clearly a provider that builds in a reporting mechanism to the requests isn't interested in not clearing things up.

Yes, you should configure your site to respond with a failure, but the reason is primarily because that will probably trigger an investigation by whoever inadvertently configured them against your IP address, when the checks start failing. They're used to remove systems from DNS when the system is not healthy.

If you want to block them by IP ranges, those ranges are public information. Find the CIDR blocks from the JSON file that is freely downloadable from the link below, tagged ROUTE53_HEALTHCHECKS. You should find all of the requests are coming from this range.

http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

You might also take this opportunity to investigate why your application is so vulnerable to bring DDoS'ed by such a relatively small amount of traffic, if that is really occurring... although I suspect from the question that you don't literally mean that it's taking your server down, but rather that you are seeing a significant amount of unexpected traffic from multiple source addresses, as would also occur in a genuine DDoS attack.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • I was a bit unclear. You are right - we are not ddosed. It's just the annoying traffic. – mai Feb 22 '16 at 11:16
1

tl;dr It was CloudFlare that was creating Health Check requests.

As suggested in the answer above, I blocked all requests for Amazon Health Check IP ranges and set to return 404 instead.

The logs, however, now indicated that 302 code was returned (previously it was 200). It seemed that a cached version of the site was being displayed. After a while, I realised that all our domains are managed through CloudFlare and for some reason this domain was set to be "accelerated and protected by CloudFlare".

The solution was to disable CloudFlare for this particular domain in CloudFlare DNS settings and all Health Check requests have stopped.

Now that we are aware that CloudFlare uses Amazon for Health Checks, we have enabled CloudFlare again.

mai
  • 111
  • 6