Attack with ip range change in seconds

Good morning,

I wanted to ask you a question to learn how to mitigate the attacks I suffer on my server.

I have managed to mitigate many types of attacks but now I would like if someone can give me the type of RULE/CONFIGURATION for Cloudflare that it has to mitigate those attacks from the same IP, but that only change the last digits of the IP.
That is to say, I have suffered an attack in which I received many requests from 3 DIFFERENT IPs.

93.156.201.XXX
52.167.144.XXX
213.55.110.XXX

They were constantly entering links on my website and every few seconds they changed one of the last 3 digits.

Can you help me? Thank you very much friends!

Are these actually attacks or just scans of paths like /wp-admin, /test and so on. If your origin is replying to these with 404s and don’t use Wordpress you are generally ok, it’s just noise.

You can look up the IP address on Cloudflare Radar to get the subnet or ASN and create a WAF rule to challege based on either of those if you want to filter the source out.

Thanks for the quick reply.
My website is not Wordpress, it is a custom site.

What it does is that it goes through all the URLs at random.

I’ll look at what you say, and now I’ll comment.

I found this:

https://radar.cloudflare.com/traffic/as60781

The example to mitigate it would be…

Instead of equals use is in, then you can put multiple AS numbers in the box. I would recommend it being a challenge rather than a block just in case there’s any real users within the ASN.

Personally I think its easier to add the ASN’s to the Security, WAF, Tools page - as over time you will probably be adding hundreds of ASN’s to be blocked

The best way to manage dynamic botnets in a free Cloudflare setup is to implement CrowdSec on the server side, communicating with Cloudflare API and updating automatically every 30s the related Cloudflare IP list. Such IP list must be used on a WAF rule, then You will have dynamic blocks feeded by attempts on your service and crowded ones.

Here the guide: Cloudflare | CrowdSec

Hello Paul,

I have set the rule as my colleague said, but it actually changes AS. (IMAGE Nº1)

Could I block it by ASN?( image nº2) I don’t see the option within the rules, could you send an image of how to do it?

thank you

Interesting, but I understand that to configure this, I should have more advanced knowledge, I will try to do it.

Or do you know of any person or company that can do this configuration and pay via Paypal?

thank you!

this??

ASN BLOCKED

That’s it, just add ASN’s as needed with no need to keep editing a rule which would become massive over time

If you do some googling (other search engines are available) you can find lists of VPN / Proxy / BotNet / bad ASN’s that are worth blocking