Attackers evading "I'm under attack mode" in clouflare

Recently I had a bot attack, because of which I enabled “I’m under attack” mode in Cloudflare for my homepage and started throwing JS Challenge for all viewers. Now, I see a number of attackers are able to evade that. And, I see visits like this -

[Riga, Latvia] left <homepage_url> and visited <homepage_url>

IP: Hostname:

Browser:


I also see, the user was never shown any JS challenge (from Cloudflare firewall events, as well as live traffic from my server).

How should I prevent visits like this ?

Is there a chance your IP address leaked somehow? If there is they could have simply bypassed Cloudflare and send the requests directly. Do you have any firewall rules in place which block all non-Cloudflare requests?

Hi sandro, thanks for the response. No, I do not have such firewall rules. Can you please let me know what exactly the rule should be, if I am making such rule in say CSF ? If I allow only Cloudflare_IP and block all other IPs, would that do or is it going to cause any trouble ?

Please refer to the manual of your firewall for that. The IP addresses in question are listed at https://www.cloudflare.com/ips/

Generally not, unless there are some cases where you need to connect directly, but that depends on your use case.

Keep in mind, if your IP is known, an attacker might still be able to take down your machine using different attack vectors.

Hi sandro, thanks for the response. I would take necessary steps. Is there any way to know whether my server is leaking its IP address ?

Check your dashboard. Most common are records like mail. smtp. leaking your origin IP as they can not be proxied.

Additionally to possibly currently available records, like MX records, as mentioned by @MarkMeyer there is always the chance an attacker already had your IP before you switched to Cloudflare or used one of the databases keeping a site’s history. Was the IP ever public?

traceroute was enabled by default in the server and I could notice it after a couple of days. Anyways, I am now changing IP for cpanel, so that the domains now get new IP addresses to be accessed from the web.

Thats a good idea, just make sure that IP really doesnt show up anywhere (MX records or anywhere else).

How do I know whether the IP address is leaking through MX records ? Or, what all are the possible places where the IP address may be leaked and how to prevent that ? Can you please point me to some URL or document ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.