How to prevent bots from spamming an API trying to hit vulnerable endpoints-CodePudding

I have a Node and Express api for my backend, currently it's running on Heroku and on my logs I see bots trying to spam the api with bad intent, trying to hit endpoints like GET /.env and GET /.aws-secret. My api will just simply return a 404 since these endpoints don't exist, but I'd like to stop these bots from making all these requests. I already have a rate limiter in place but it's annoying to see that the bots still make requests basically everyday trying to hit an endpoint.

I've seen some answers here on how to block an ip address using Express, but my idea would be to have a list of blacklisted endpoints (such as GET /.env) and banning any ip that makes a request to those endpoints, except I don't know if this solution is ideal, what would be the best way to get rid of these bots trying to hit vulnerable endpoints?

CodePudding user response：

You could blacklist confidential files and directories and each time someone tries to access them, don't return any response.

CodePudding user response：

The cure to this problem might be worse, than a disease.

Rate limiting has a high chance to block valid users, as scripts tend to be more persistent in achieving their goals than humans are.

Blocking IP addresses? You may want to try it out. Be aware, that one IP does not mean one person, machine or script. IPs are often shared among many users going over the same router. You will ban legitimate users by doing so.

The best idea seams to be some kind of a captcha mechanism - prove that you are a human by solving a riddle that is easy for humans, but hard for machines.