You are probably under attack and you don’t even know it
If you have a public-facing resource on the internet (usually a web site) there is a high chance it gets scanned periodically by numerous bots. In fact, they might start doing this less than a minute after deployment. Security, he-he-he.
https://youtu.be/40SnEd1RWUU
How do I know? At Multify I host language translations for multiple clients. Essentially, I host separate domains which increases attack surface with each newly connected domain.
The service proxies all of the requests to upstream, transforming the site in the process. This includes every malicious request sent by a bot – effectively rendering my service as an attacker instead of the bot.
To combat this I use Crowdsec, which sits in front of the application, monitors and blocks requests from the malicious actors. And well... I got 120+ IPs malicious IPs rejected in the first 24 hours after the deployment. Majority of them are scanning for obvious vulnerabilities like .env and .htaccess. Oh, and lots of Wordpress paths of course.
To be fair, most of these are harmless each on their own. After all, none of my clients expose those sensitive files. However, the real problem this creates is not what you expect: it exhausts your resources.
Since I am a hosting provider (hosting site translations, but not the sites themselves), any disruption to my service can affect multiple clients. Server load and exhaustion of other resources (like proxies) are real. Here's upstream block rate over the last 4 days — peaks hit during evening hours when bot activity surges:
The graph that shows the number of times my service has been blocked by the upstream servers. This is inevitable—the only way I can handle this is to increase my proxy pool, which means I have to pay more. So in effect, bots you never invited are quietly draining your infrastructure. Fun.
Another interesting fact is that the majority of malicious traffic is HTTP probing:
The irony is that my clients never noticed any of this. There were no slowdowns or downtime. From their perspective the service just works. And that's exactly the goal of any system administrator.
You know that feeling when everything works perfectly and you start to think about that maybe you don't get much credit for it. Because literally nobody notices this. By design.