Learn about Centmin Mod LEMP Stack today
Become a Member

Lots of traffic with query string ?ssp_iabi=1677XXXXXXXX

Discussion in 'System Administration' started by Brad393, Feb 23, 2023.

  1. Brad393

    Brad393 New Member

    13
    4
    3
    Oct 6, 2020
    Ratings:
    +8
    Local Time:
    9:51 PM
    Any one else seeing a lot of traffic with a query string like ?ssp_iabi=XXXXXXXXXXXX where Xs are a bunch of numbers. Parameter is always "ssp_iabi" Any one know what this is? SSP is supply side platform so some ad related thing run amok?

    I am seeing this across several unrelated WordPress sites hosted on different servers in different datacenters owned by different people so this is not some targeted DoS. They are in similar content areas but the most significant thing they have in common is they all have display advertising on them. Requesting IPs are all over the place including ones owned by Pinterest, Google, AWS, GoDaddy US and Europe, random smaller ASNs.

    There is at least a dozen user agents, Pinterestbot user agent goes back to Pinterest IPs on lookup, Google Mediapartners agent IPs go to Google LLC, many other smaller crawlers I have seen in logs before that trace back to AWS or GoDaddy or random smaller datacenters I haven't heard of. Ipv4 and ipv6 addresses.


    It's just really strange they are all using the same parameter in a coordinated fashion but seem like they must be separate actors with what appear to be legit Google Mediapartners bot and Pinterestbot IPs. It must all be related to the advertising but why are they all going nuts with the same parameter and loading hundreds of thousands of pages (multiple loads of same page but many different pages across sites) a day on some of these sites. Started 2/21 and load was greater today 2/22.
     
  2. eva2000

    eva2000 Administrator Staff Member

    52,779
    12,079
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,606
    Local Time:
    2:51 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Never seen that query string before. Any of your sites have Cloudflare in front of them? On CF paid plans? If so you can dig into Cloudflare Web and Security Analytics to get more details.
     
  3. Brad393

    Brad393 New Member

    13
    4
    3
    Oct 6, 2020
    Ratings:
    +8
    Local Time:
    9:51 PM
    Still seeing tons of traffic with this querystring. I had originally added it to the ignore list of my cache plugin and that cut the server load caused by it in half but, then the plugin was generating cache pages with that querystring and filling the disk.

    I got smart and used a Cloudflare transform rule to strip the querystring so it is treated just like any other request since I'm not ready to block the requests yet.
     
  4. eva2000

    eva2000 Administrator Staff Member

    52,779
    12,079
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,606
    Local Time:
    2:51 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup easiest way, I have Cloudflare Transform rewrite url requests for such querystring removeable as well :) If you have paid Cloudflare plan, also check you have your Cloudflare WAF Managed rules setup and enabled, some for query string handling aren't enabled by default.