If you run a public-facing site or app on Vercel, you have probably spent some time thinking about how to control its traffic. Like with most problems, the first step to solving it is analysis, so that’s what I’ll discuss in this guide.
Solution
There are a few tools in the Vercel dashboard that you can use to understand the traffic to and from your site. Most are included in every plan, so I’ll focus on those. We also have add-on services that are very well suited to traffic analysis—I’ll touch on these as well, but be sure to understand how usage is calculated before enabling them. If you have questions, feel free to leave them as a comment and I’ll help you find an answer.
Logs
You can view runtime logs for each of your projects by going to that project and choosing “Logs” from the top menu. Logs are a simple but powerful tool for understanding your application’s behavior.
On the left, you’ll find filters that can be used to identify traffic anomalies in a couple ways.
First, when you expand a given filter, you can see the number of log entries that match that criteria. For example, in this project, I can see that I’ve had 3 errors in the last 30 minutes:
As a starting point, the number of log entries can be useful when looking at the “Request Path” and “Cache” filters. A specific request path with an unusually high number of log entries likely means an unusually high number of requests, and viewing those logs will tell you more about where it’s coming from. When looking at the cache filter, check for a high number of MISS or STALE entries—aside from indicating a possible inefficiency with the application, this could mean a high number of requests to different pages that have become stale and need to be regenerated. If a high number of these requests happen in a short time span, this might warrant further investigation.
To get deeper into the logs, you can inspect an individual entry by clicking it in the main list of events. One of the first properties to look at is the “Request User Agent.” For a real user accessing your site from a real browser, the value will often be something like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
. It’s trivial for bots to fake this, but suspicious user agents are a good way to weed out obvious bad actors.
If you see a user agent you don’t recognize, you can search for it on https://user-agents.net/ to help you decide whether it’s legitimate traffic.
You can also bulk export up to 100,000 events by applying your filters, selecting the three dot menu in the top right, and choosing a format. If you’re looking for something very specific, writing a script to analyze logs from a specified period can be extremely helpful.
Log Drains
Log drains are a paid add-on that allow you to export logs to another service for processing or storage. A lot of people will send them to an APM service or some other tool, but you can export them to any endpoint that will accept your POST request if you want to handle it yourself.
Check the log drains documentation for more details.
Usage tab
The usage tab in your dashboard is a great tool for understanding the resources you’ve consumed, but you can also use it to spot abnormalities. There are a few panels that are particularly helpful:
- Top paths - this panel shows the top resource consuming paths across all your projects over time (usually the current billing period, but you can set this yourself). When viewing the top paths by bandwidth, look for obscure paths using unusually high amounts of bandwidth. This type of increased activity can be a signal that you’re receiving unwanted automated traffic.
- Fast data transfer - this metric represents the data transfer between clients and the Vercel Edge network, grouped by direction: incoming and outgoing. In addition to looking for spikes in bandwidth, drastic changes to the proportion of incoming to outgoing traffic can be a strong signal of abnormal behavior.
- Edge requests - very similar to fast data transfer, but the pure number of requests. Use the “projects” and “regions” views here to look for abnormal changes in requests to different projects and from different geographic regions.
TLS Fingerprinting
One of the most effective ways to correlate malicious traffic across changing IP addresses is the TLS fingerprint. The JA4 digest (a hash representing the “fingerprint”) is included in each request as the value of the x-vercel-ja4-digest
header.
Our documentation provides a more thorough explanation, so if you’re interested in using the JA4 as an identifier of malicious traffic, be sure to review it first. A word of caution: a JA4 hash alone should not be used to identify and block a malicious user. Another user (potential customer!) with the same browser TLS configuration could generate the same hash. For the same reason, it is not a good idea to block a static list of “bad” JA4 hashes.
Vercel WAF
The easiest way to use the JA4 hash is in the Vercel WAF, which is available to all users. To do so, change the view from “overview” to “default web traffic” in the top left dropdown. Next, choose “JA4 Digest” in the top right:
You can also filter by a number of other useful properties here. This monitoring view does not incur billable usage, so feel free to explore and look for patterns.
The WAF can also be used to create more targeted views with custom rules. I won’t cover all of the details, but custom rules can be used to block or take other actions on requests whose properties match some set of values you provide.
Most often you’ll see custom rules used for denying requests, but you can also just log them instead. When you create a custom rule like this, go back to the overview page and, instead of selecting “default web traffic” you’ll see your rule. Here you can monitor those requests, isolated from the rest of your traffic, and decide if further action is needed.
An example to illustrate: suppose you’ve noticed increased requests from the user-agent MysteryBot
. Before blocking them, you might want to monitor their usage patterns to understand whether they are harmful. All of this is possible using the techniques I described earlier, but a custom rule allows you view requests to paths that match some regex expression, made by MysteryBot
and originating in the 121.0.121.0/16
CIDR range—but wait! You only want to see POST requests. You’d be surprised at how often hyper-specific views like this come in handy, and custom rules are how you create them.
If you’re reading this guide, you’re probably interested in what to do once you identify malicious users. The Vercel WAF docs include a number of options for controlling your traffic, including ones that prevent you from incurring usage from malicious requests. The examples page has a list of rules and options that can be used as a starting point.
Monitoring
In the usage tab, you may have noticed that some paths link to a monitoring chart. This is because monitoring is another great tool for understanding your traffic patterns. Monitoring is a paid add-on, and how to write good queries could be a post of its own (maybe it will be ), so if you’re curious what it can do, check out our example queries.
Web Analytics
Web analytics allow you to understand your users’ behavior on your site. While analytics events are billable, some events are included with every plan type, including hobby. Although it excludes known bots, it’s still useful for identifying abuse and malicious behavior. Filtering page views by referrer and geographic location are good starting points for finding abnormal use. Refer to the docs for more information on what you can do with web analytics.
Free Cake
Now that I have your attention: do not skip this section.
The suggestions provided in this guide are meant to be broadly applicable, but there will always be exceptions. There is a reasonable explanation for each of the “abnormal” patterns I’ve described, so use your judgment when taking action on traffic you’ve identified as suspicious. Always try to verify that traffic is not legitimate before blocking access.
Fascinated, captivated, and ready to learn more? Start with our recent blog post, Lifecycle of a Vercel Request. It explains our infrastructure in detail, as well as the controls that are available at each level. As your application grows more complex, understanding this can be incredibly helpful for managing bad traffic as well as making your services run as efficiently as possible.