Recently I had a bot attack, because of which I enabled “I’m under attack” mode in Cloudflare for my homepage and started throwing JS Challenge for all viewers. Now, I see a number of attackers are able to evade that. And, I see visits like this -
[Riga, Latvia] left <homepage_url> and visited <homepage_url>
IP:Hostname:
Browser:
I also see, the user was never shown any JS challenge (from Cloudflare firewall events, as well as live traffic from my server).
Is there a chance your IP address leaked somehow? If there is they could have simply bypassed Cloudflare and send the requests directly. Do you have any firewall rules in place which block all non-Cloudflare requests?
Hi sandro, thanks for the response. No, I do not have such firewall rules. Can you please let me know what exactly the rule should be, if I am making such rule in say CSF ? If I allow only Cloudflare_IP and block all other IPs, would that do or is it going to cause any trouble ?
Additionally to possibly currently available records, like MX records, as mentioned by @MarkMeyer there is always the chance an attacker already had your IP before you switched to Cloudflare or used one of the databases keeping a site’s history. Was the IP ever public?
traceroute was enabled by default in the server and I could notice it after a couple of days. Anyways, I am now changing IP for cpanel, so that the domains now get new IP addresses to be accessed from the web.
How do I know whether the IP address is leaking through MX records ? Or, what all are the possible places where the IP address may be leaked and how to prevent that ? Can you please point me to some URL or document ?