What Happened?
- Why are we seeing CURL requests originate from Silverline's IP?
- Why am I suddenly seeing an increase in traffic from Siverline's IP?
Environment
- Silverline WAF
-
Silverline DDoS
- Proxy
-
Proxy/Proxies
- Regional PoPs
Resolution/Answer
-
Silverline has an additional health monitor setup that would send CURL requests to the backend server(s) if the proxy is configured/deployed on to a Regional PoP location
- CURL request traffic will originate from 107.162.x.32/32 and/or 107.162.x.35/32
- The curl traffic is GSLB health monitoring which is applicable for Application Proxies deployed in rPOPs.
- The health monitor traffic checks that the Application Proxy responds to a GET / in order to mark the GSLB pool as up, which is a prerequisite for supplying an A record for the proxy CNAME
- See https://support.f5silverline.com/hc/en-us/articles/360037848773-How-do-I-use-configure-the-Regional-PoP-RPoP-in-Silverline-Proxies and https://support.f5silverline.com/hc/en-us/articles/360037337394-How-is-the-traffic-flow-through-Silverline-infrastructure-different-with-Regional-PoPs for details.