Detect GET without expected subsequent asset GETs #3
Description
A GET for a page that has typical content should result in multiple subsequent GETs for images, CSS and JavaScript files. Malicious traffic often performs a GET but doesn't follow up with expected subsequent requests for the page's assets.
I believe a general rule should be:
- If a
GETis logged - Save the client IP address
- Check for subsequent
GETs within a certain amount of seconds (3 - 5 should be sufficient).- Possibly be more complex and determine if those subsequent
GETs are .css, .jpg, .js, .png, .jpeg, .gif, .webp. .svg. .ico and possibly more.
- Possibly be more complex and determine if those subsequent
- Ban the IP, or mark it for observation to see if a second violation happens in a certain window of time.
I've seen thousands of requests DDoS a website using this method. The user agent strings looked perfect, and the traffic was undetectable in every other way, but could have been marked as suspicious based on a complete lack of supporting assets being requested like organic, human traffic would have done.
Example Suspicious Traffic
Hundreds of requests per minute were coming in for random pages on a website. Perhaps 20 - 30 IP addresses were associated with these requests. The one odd characteristic was that if a real user accessed those same pages, there would be 3 - 5 subsequent GET requests for javascript, css, and image assets, all within a few seconds.
The malicious traffic seemed to GET a URL, have the full size of the page transferred to it (below, 82112 bytes), but there were never subsequent GETs:
www.redacted.org 2.2.2.2 - - [20/Sep/2025:21:39:59 +0000] "GET /nope/yes-a-real-page/ HTTP/1.1" 200 82112 "https://www.redacted.org/nope/yes-a-real-page/" "Mozilla/5.0 (Linux; Android 8.0.0; BND-L24) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36"
Concerns
There would be a concern if the page that was requested just didn't have those kinds of assets on it, so it would trigger a false positive.