Are we being attacked?


#1

Hi, we just signed up for this service today as we have a weird behaviour with our website. The website is very sluggish because our server’s CPU is very very high. When we stop Apache, the load drops. When we start Apache, the server load skyrockets.

Could you confirm whether we are being attacked or not?

Thanks,
Charles


#2

I can’t say anything about your requests direct to origin by someone bypassing Cloudflare if they had your origin IP. Through Cloudflare you have had ~=12k requests in 6 hours only 5300ish of those went to origin… could it be an attack? Maybe? Hard to know what normal traffic looks like for your site, but that seems like a number of requests a webserver should be able to handle generally speaking.


#3

Hi,

Our server load is still extremely high today and we’re getting a load of HTTP requests that look like a possible Wordpress attack because of the xmlrpc.php hits, see image attached.

Is there anything we can do to block those requests besides doing it IP by IP?

Any other suggestions? Is this not getting blocked already because this plan doesn’t do layer 7 attacks which I’m assuming this is?

Thanks!


#4

xmlrpc.php acts like an API so this looks to me like an attack.

Secure it access to this file and -more important- block all http traffic to your origin except cloudflare sources:

Restrict access to this file (Apache Config):

#Disallow access to important files
<FilesMatch “(^.|wp-config.php|xmlrpc.php|(?<!robots).txt|(liesmich|readme).*)”>
Order deny,allow
Deny from all
</FilesMatch>

If you don’t need XMLRPC you can safely deactivate it completely by editing the functions.php:

/* Disable XMLRPC */
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

To remove it from the HTTP header as well add:

/* Remove XMLRPC, WLW, Generator and ShortLink tags from header */
remove_action(‘wp_head’, ‘rsd_link’);

This will reduce the server load.

https://codex.wordpress.org/Hardening_WordPress


#5

Hi,

As far as blocking all http traffic besides the cloudflare sources, I’m assuming this would be at the origin firewall level which for us, would be doing so via iptables?

Thanks!


#6

Correct. Don’t forget to save the rules once you’ve configured your firewall Use iptables-save and reload the rules during the boot process. Otherwise all rules are gone.


#7

Actually I don’t think iptables will work because I have certain domain aliases that are not going through CloudFlare since they’re just used for redirect purposes. I don’t believe there’s a way to tell iptables to only allow some source IPs if they are meant for a specific domain

Does CloudFlare have something to deal with the above or is my best resource to block the source iP addresses that are not from CloudFlare through the Apache Deny, Allow directives?

Thanks!


#8

You can specify source and destination IPs if you have dedicated Ip Adresses. Maybe you can order a second address from your host provider and use it for your redirects. Or move the domains to CloudFlare :wink:

Blocking IPs is supported on enterprise plan only.