Spam API Calls From Different IP's

I have recently noticed that I am getting a whole bunch of spam API calls. They are causing errors that read “anvil.server.NoServerFunctionError: API request routing failed. No @anvil.server.http_endpoint exists with path matching ‘/static/admin/javascript/hetong.js’.” The error would change with different paths.
I was getting like 20 in a second and then it would stop and start again a little later from a different IP.

Are they just trying to find a API that they can use?
Is there anything I can do to defer them from trying?
Should I even be scared?

I’ve been noticing the same thing in my logs. Happens multiple times a day, for a wide range of different endpoints, none of which exist.

Got a list of the same yesterday. But it immediately coincided with a temporary crash of the IDE.

Yeah, this is unfortunately just internet background noise – anything that’s out there on the internet is going to get hit with a bunch of dumb bots looking for old unpatched Wordpress installations or whatever. They’re not worth worrying about (unless you are running old unpatched Wordpress, which you’re not); they just cause a bunch of 404 errors.

I kinda figured the only problem I am running into now is they were doing a whole bunch last night and caused an error like the following “anvil.server.TimeoutError: Server code took too long” and “anvil.server.ExecutionTerminatedError: Server code execution process was killed. It may have run out of memory: 248591887b.” Could they be slowing the program down by doing this? My scheduled tasks didn’t run during this time they had missed their designated times.

It may actually be something new. I’ve used Anvil for a few years now but never seen this style or volume of HTTP endpoint connection requests. It looks like something in published environments trying to hit everything and anything but it happened in a big overnight blip. Has the Anvil team noticed anything weird in server loads recently?

We haven’t seen anything out of the ordinary on our end. This kind of noise comes and goes, and we are currently considering ways of filtering out this kind of spam from the app logs.

A location blacklist by either country or IP address range would be nice. I’m not saying reject the requests in the endpoint code, just have them skip logging.

I found a simple way to stop unwanted visits to my app from certain countries. I used Cloudflare, which is free. Here’s what I did:

1. Moved my website’s DNS settings to Cloudflare.
2. Used Cloudflare’s tools to block countries and IP addresses that were causing problems.

This stopped the weird API calls I was getting, it was easy and didn’t cost anything.

Did you experience any downtime for your site when you made the transition?

Thanks!

@anthonys
Not really, no downtime, since they all point to the same IP.

Thanks for the feedback and suggestions Augustas!

I’ve officially moved to cloudflare and am pretty happy with the experience. I will like to note for any future readers, make sure you set your " Your SSL/TLS encryption mode" to Full or Full(Strict) or your sites will get stuck in a redirect loop.

I do have an additional question for you @augustas.volbekas , how are you identifying these IPs? I am simply creating a country block, but there are still trouble-some IPs in “passable” countries.

@anthonys
Our app works in just one country, so less of an issue for us.

Also, with Cloudflare, you can block all internet requests that have “/_/api/” in them, but let through the ones you know are okay. I think that would block 99% of the spam calls.