❓Would anyone have thoughts or ideas on what’s going on here? My Evergreen API is being hit with a high number of requests (currently up to ~80,000 requests a day) - a large portion of these are repeated requests being made to a very small number of apps: AdobeAcrobatReaderDC, Microsoft365Apps, CitrixWorkspaceApp. Repeated requests include requests from the same IP addresses within a short number of times (i.e. seconds). User agent is largely PowerShell. I’ll have to end up putting in throttling, because the Cloudflare Workers free tier includes up to 100,000 per day, and right now these types of request are making up the majority and they just don’t look right to me.

I’d implement rate limiting indeed, to limit the amount of similar requests per minute ( based on client ip and target URL, maybe even user-agent).

Sounds like a rogue admins script made it out to thousands of devices? I agree with Jan, rate limit. Or IP ban the user and they’ll soon make themselves known.

Given the spread of devices, it could be a multi-national with scripts on their devices. Blocking via IP is a bit of a challenge with the Cloudflare management console. I’ve seen a massive jump in the past 24 hours, hitting 200K requests, so I’ve taken to blocking via useragent until I get a better solution in place.

Out of curiosity, is the user-agent in your tool configurable? Where is it picked from?

If you use

Invoke-EvergreenApp

/

Get-EvergreenAppFromApi

including in the module, it uses a custom user agent. I’m only blocking the default PowerShell user agent, so I’m hoping that anyone who may use a custom user agent is going to be sending a legitimate request.

Aha! Good, and it is rotated/recreated on every request?

Couple of things, firstly, you’re a victim of your own success. Which is awesome. Secondly, I’m guessing a customer of yours has your script wired up to a non persistent pool as a startup script and they’re running it every time the VM is refreshed.

@Jan Tytgat not rotated, but it is updated with each module release