Getting suddenly a lot of request from CFNetwork/Darwin

Question

I've noticed in the AWS console that our website got a lot of more requests than normally. Especially in the night hours (Europe time).

Then I've checked the nginx logs and now I know that a lot of devices with different IP addresses request the root of the website, most of them with the user agent swcd (unknown version) CFNetwork/978.0.7 Darwin/18.7.0. Sometimes one of the versions is different.

I have absolutely no idea what is going on so I hope that someone can help.

Answer 1

It can also be a request being made from an iPhone emulator, the user agent contains references to CFNetwork and Darwin

Answer 2

Recently this same behavior was detected by our CDN and our WAF's, and what we detected here in some clients, was a botnet doing enumeration of users in a distributed way, there is even a name for it, user enumeration spraying. Anyone who doesn't know how web attacks work would say this is normal.

Answer 3

swcd runs on iOS and macOS devices and will periodically attempt to access /apple-app-site-association and /.well-known/apple-app-site-association. This is used for several features which mediate between an Apple native app and the web, including Shared Web Credentials, Handoff, and Universal Links.

This process will typically run overnight in the user's local time zone, but specific timing is not guaranteed.

See also Setting Up an App’s Associated Domains for more information on associated domains.

Hard to guess the cause of the spike without knowing more about your product - but some possible causes:

• you recently released an update to your iOS or macOS app
• a larger customer just signed up for your service or rolled out your product to more employees
• a larger customer just deployed an iOS or macOS operating system update to their managed devices

Anyway, I would ignore the spike. If it's causing you trouble, ensure your load balancer is configured correctly.

Answer 4

Looks to me like someone with a botnet is trying to take advantage of the shared web credentials to compromise your site, doing it at night to try to avoid detection. Other evidence is the "a lot of devices with different IP addresses request the root of the website". If it was just a "viral" event, just certain classes of devices would show, rather than a wide diversity of devices. Accessing the root of the web-site -- these are devices that have never been to your site before. It's not a denial of service attack because they are doing it at night, therefore not denying anybody their service, and night is the natural time for break-ins.

I'm not a cracker myself, just an old-school developer, and I'm not even terribly familiar with ios, but I could not remain silent while there was a possibility that your web site was attacked without you at least suspecting and investigating. HTH.