This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Hi all, I have a situation where I have a simple windows 10 VM which is hosting a simple http (not s) endpoint using powershell via the Polaris library. The endpoints all work as expected. However, what I see in my logs from them are duplicated hits on the it that originate from an Amazon data center (according to iplocation.net). The most bizarre part is that these ghosted requests hit the endpoint up to 7 or 8 minutes after the initial one.
e.g.
Issued from our windows application in my office:
http://MYDSN.westus2.cloudapp.azure.com/myEndPoint?appname=test&devtag=ddd&addparams=none&start_broadcast=true&app_executable_name=appname.exe
Incoming request hits my azure VM's endpoint at 2021-06-16 19:52:42
The system response is good and the ip of the incoming request matches what I'd expect:
xx.xxx.242.57 Canada British Columbia Vancouver
Then much later, at 2021-06-16 19:59:19 (over six minutes later) the endpoint gets hit with:
http://MYDNS.westus2.cloudapp.azure.com/myEndPoint?appname=test&devtag=ddd&addparams=none&start_broadcast=true&app_executable_name=appname.exe
from: 54.173.113.17 United States of America Virginia Ashburn (listed as Amazon)
By this point the original app that issued the URL has been shut down. The parameters in the request are all custom to user input so I know it is a duplicate of what was originally sent, not just an additional request from some other instance running somewhere.
Does anyone know of how/why a request could get duplicated and resent from a data center on the other side of the continent? Also, my company does not use any Amazon services - we are Azure only.
If you have even a guess, I'd love to hear it! And / or if you can suggest a better place to post this question or a line of investigation to try to figure it out. (I'm not well versed in internet technologies so feel free to suggest "obvious" ideas)
Dave
It looks like an attack from a bot service to me. Can you take a look at the agent in the HTTP request from which the second request came from ? Is it chrome or any bot ?
If you are able to figure that out, you can add custom code to your application to accept request from only web application agent only.