Anyone can help me with rules for this type of attack?

Hello,

Anyone can give me a hand?

Attack Log:

177.107.XXX.XXX/24 - - [11/Sep/2019:18:51:36 +0200] “GET /?evm8S5ti=XTNYHEKs HTTP/1.1” “200” 771 “https://DOMAIN . COM/” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27” “177.107.52.130” “https ://DOMAIN . COM : 443/?evm8S5ti=XTNYHEKs”

51.77.XXX.XXX/24 - - [11/Sep/2019:18:51:36 +0200] “GET /?QQQQQQQQ=QQQQQQQQ HTTP/1.1” “200” 759 “http s : //DOMAIN . COM /” “Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13” “51.77.105.45” “ht tp s://DOMAIN .COM:443/?QQQQQQQQ=QQQQQQQQ”

2a01:4f8:xxx:xxxx:xxx - - [11/Sep/2019:18:51:36 +0200] “GET /?IF6487RD=otEXnZiw HTTP/1.1” “200” 770 “https : //DOMAIN . COM/” “Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.9.168 Version/11.52” “2a01:4f8:c2c:a441::1” “https://DOMAIN .COM:443/?IF6487RD=otEXnZiw”

2a01:4f8:xxx:xxxx:xxx - - [11/Sep/2019:18:51:36 +0200] “GET /?QQQQQQQQ=QQQQQQQQ HTTP/1.1” “200” 759 “https : //DOMAIN . COM /” “Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13” “51.77.105.45” “https : //DOMAIN .COM : 443/?QQQQQQQQ=QQQQQQQQ”

The attack is either on /?[random chars] or index.php?[random chars]
This is what I tried but it doesn’t seems to be effective as it doesn’t issue the challenge.

Rules:

(http.request.uri.query contains “?” and not cf.client.bot) or (http.request.uri.path contains “?” and not cf.client.bot) or (http.request.uri.query eq “?QQQQQQQQ=QQQQQQQQ” and not cf.client.bot)

I’m quiet lost now, as the attacker can bypass cache with this.

Thanks!

First question, are you using the query string (the bit after “?”) at all on your site? If not, you could either switch your caching strategy to “No query string” or use a firewall rule to block requests with query strings altogether.

The former would not block the requests, however random strings wouldnt circumvent the cache at least.

The latter should be achievable with either one of these rules (try them out).

(http.request.uri contains "?")

or

(http.request.uri.query ne "")

Hello,

Yes I do use the query string and therefore I can’t cache all of the content.
It’s being used with Ajax & other GET Requests all together therefore if that would be cached, the site wouldn’t work.

I have tried this before ```
(http.request.uri contains “?”)


I would just need to make a firewall rule for index.php or login.php but not the ajax requests.
Therefore domain/index.php?random domain/login.php?random would be cached but not domain/ajax/files.php?get

Hope you understand, thanks for your time.

In that case simply extend my previous examples with and’ed expressions, which in- on exclude these files based on their paths.

That makes sense, so just adding the rule for everything except (ignore) folders I choose.
I will definitely try that and let you know.

Thank you.

That should work. Can you post a few examples where you have query strings and which files you’d like to block if a query string is sent and which not?

I would need it to UAM / Captcha all requests at

Domain.com/index.php?XYZ123
Domain.com/path/login.php?XYZ123
Domain.com/path/register.php?XYZ123

Domain.com/path/ajax/* <- would be untouched, ignored as there is dynamic content.

and also domain.com/?XYZ123.

thanks!

In that case the following might work

(http.request.uri contains "?" and not http.request.uri.path contains "/path/ajax/")
1 Like

Thank you so much.
That seems to be working perfectly.

:smiley: