cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Request size anomaly signal illustration
Annotator request_size

Request size anomaly

Requests are unusually large or shaped in a way that suggests abuse or automation.

Attack family · Fuzzing, stress, and malformed payload staging Phase · Reconnaissance and exploit staging Risk · Medium
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Very large or abnormally small requests and responses
  • Payload shape mismatches across method, status, and URL context
  • Outlier response sizes that hint at abuse or malformed clients
Logic
  • Known media assets can be exempted so large normal files do not pollute the signal.
  • The annotator scores oversized, undersized, and contextually odd response shapes differently.
  • It is strongest when paired with endpoint context and recurrence.
Attack Family
Fuzzing, stress, and malformed payload staging
Phase · Reconnaissance and exploit staging Risk · Medium
Abnormal size is often how attackers learn what the application will tolerate. Oversized parameters, undersized weird replies, and repeated outliers are the shape of probing before the exploit is fully understood.
Damage Patterns
  • Attackers use payload size variation to discover parser limits, buffer assumptions, and application stress points.
  • Large or oddly shaped requests can also drive up compute cost, trigger edge-case errors, and preview denial-of-service behavior.
Incident Lore
  • A lot of high-impact exploit chains began with seemingly boring malformed inputs that taught the attacker where the boundaries really were.
  • Defenders often dismiss size anomalies as noise until they line up with crashes, resets, or later exploit attempts.
How To Read It
This is a shape-of-traffic annotator. It helps explain why the request or response footprint looks unlike normal usage.
Defender Takeaway
Treat shape anomalies as experimentation. Someone may be measuring the envelope before they commit to a stronger move.
Catalog Definition
Flags abnormal request sizes such as unusually large query strings, oversized headers, or repeated large payload attempts. This can indicate fuzzing, stress attempts, malformed clients, or automation. False positives can occur (large cookies, tracking parameters, legitimate API usage), so interpret with endpoint context and recurrence.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
54538
Latest sample
Apr 13, 2026 • 00:59
Top rules
size:above_normal · 10
Top requester orgs
DigitalOcean, LLC · 8 Digital Ocean · 2
Severity mix
14 · 10
Method mix
GET · 10
GET 200 14
Apr 13, 2026 • 00:59
/
Above-normal response size
IP 157.230.47.9 Subnet 157.230.47.0/24 Org DigitalOcean, LLC Country Singapore Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:59
/
Above-normal response size
IP 157.245.166.151 Subnet 157.245.166.0/24 Org DigitalOcean, LLC Country United States Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:59
/
Above-normal response size
IP 45.55.238.127 Subnet 45.55.238.0/24 Org Digital Ocean Country United States Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:59
/
Above-normal response size
IP 164.92.155.49 Subnet 164.92.155.0/24 Org DigitalOcean, LLC Country The Netherlands Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:58
/
Above-normal response size
IP 157.230.47.9 Subnet 157.230.47.0/24 Org DigitalOcean, LLC Country Singapore Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:58
/
Above-normal response size
IP 157.245.166.151 Subnet 157.245.166.0/24 Org DigitalOcean, LLC Country United States Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:58
/
Above-normal response size
IP 45.55.238.127 Subnet 45.55.238.0/24 Org Digital Ocean Country United States Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:58
/
Above-normal response size
IP 164.92.155.49 Subnet 164.92.155.0/24 Org DigitalOcean, LLC Country The Netherlands Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:57
/
Above-normal response size
IP 157.230.47.9 Subnet 157.230.47.0/24 Org DigitalOcean, LLC Country Singapore Rule size:above_normal
GET 200 14
Apr 13, 2026 • 00:57
/
Above-normal response size
IP 157.245.166.151 Subnet 157.245.166.0/24 Org DigitalOcean, LLC Country United States Rule size:above_normal