“Function Invocations” usage and optional catch-all

jeantinland · October 1, 2024, 9:37am

Hi,

We have a problem regarding our “Function Invocations” usage.

In order to handle i18n path segments, our CMS is articulated around an optional catch-all route that takes an array of paths ingetStaticPaths. fallback is set to “blocking” allowing us to create new pages on the fly from our CMS.

From this we can observe an unwanted side effects: our optional catch-all route [[...path]] also captures all undesired requests made by malicious actors like wp-..., *.php… Here is an extract of Vercel logs below:

Oct 01 09:44:31.34 GET 404 {REDACTED_HOST} /wp-login.php
Oct 01 09:41:34.31 GET 404 {REDACTED_HOST} /lufix.php
Oct 01 09:41:34.15 GET 404 {REDACTED_HOST} /pepper/wp-content/themes/pridmag/db.php
Oct 01 09:41:33.96 GET 404 {REDACTED_HOST} /hplfuns.php
Oct 01 09:41:33.82 GET 404 {REDACTED_HOST} /wp-content/ovabvpwdb.php
Oct 01 09:41:33.67 GET 404 {REDACTED_HOST} /data.php
Oct 01 09:41:33.48 GET 404 {REDACTED_HOST} /wp-includes/wp-class.php
Oct 01 09:41:33.34 GET 404 {REDACTED_HOST} /mah.php
Oct 01 09:41:33.18 GET 404 {REDACTED_HOST} /wp-content/plugins/wp-sec/wp.php
Oct 01 09:41:33.11 GET 404 {REDACTED_HOST} /wp-content/plugins/czyfidusba/wp-editor.php

This phenomenon is amplified as we host almost 260 sites with high seasonal traffic on Vercel. The 1 million request quota is exceeded in less than 7 days and we are not even at the peak of our potential traffic.

Changing thegetStaticPath fallback config to false is not an option as it would prevent us to update our sites with our CMS: revalidation is not possible on paths that were not present when the build was done.

What are our options to circumvent this issue and prevent these unwanted function invocations?

Please let me know if additional context is necessary.

Thank you in advance for your assistance.

swarnava · October 1, 2024, 11:42am

Hi,

You can block these requests via a Vercel WAF rule: WAF Custom Rules

For example you can create a rule that blocks or challenges traffic using the contains “.php”:

We wouldn’t be able to design these exact queries for you, but it should be relatively simple using the above example to create a custom rules for each unwanted file type/request.

jeantinland · October 1, 2024, 12:31pm

Thank you for your answer; this should resolve our issue.

I see that these rules are project-scoped. Is there a way to create a set of rules directly in vercel.json config file?

Otherwise, we will need to setup each of our 260 projects one by one.

Thanks again!

swarnava · October 1, 2024, 12:39pm

Hi,

Unfortunately the setting is project specific right now and cannot be created globally. I will ensure that the feedback is shared to the wider team.

In the meantime, you can use our API to create them programatically: Vercel REST API Endpoints

jeantinland · October 1, 2024, 1:12pm

Okay, thank you very much for your help. The API endpoint will surely help a lot!

system · October 3, 2024, 1:12pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

pawlean · November 15, 2024, 2:00pm

Hi, @jeantinland! I know it’s been a while - but because there was a discussion about WAF rules wanted to let you know of our new WAF template which may be helpful to you.

Topic		Replies	Views
Vercel Firewall rules to deny bot attacks Discussions nextjs , firewall	4	55	November 28, 2024
Assistance Needed to Address Unwanted Traffic on Our Application Help firewall	4	17	December 10, 2024
Optional catch-all segments not working for home page Help nextjs	2	10	September 26, 2024
How to ignore attempts request from invalid paths? Help nextjs	2	16	October 1, 2024
Serverless function error Help	2	20	August 12, 2024

“Function Invocations” usage and optional catch-all

Related topics