Block certain IP range

Hi,

one of my subdomain has been getting a scheduled attack that take place every 7 days from IP that start with 64.39.x.x.

  1. I have setup firewall rules - (ip.src in {64.39.0.0/16}) - and setup firewall at my hosting (DigitalOcean) to only accept inbound from the IP list in (https://www.cloudflare.com/ips/)

  2. I have also setup IP Access Rules to block 64.39.0.0/16 a week after I setup point no 1

and the attacks still there. Both rules are still present in my account.

These attack roughly takes around 10 minutes with approx 5k-6k requests. Some looks like the following

  • POST /dynamiccontent.properties.jsf “”
  • GET /core/CHANGELOG.txt “”
  • GET /includes/bootstrap.inc “”
  • GET /core/includes/bootstrap.inc “”
  • GET /_async/AsyncResponseServiceSoap12Https “”
  • POST /_async/AsyncResponseServiceSoap12Https “”
  • GET /includes/local/README “”
  • GET /ultramode.txt “”
  • GET /blocks/readme.txt “”
  • GET /lib/typo3/csconvtbl/readme.txt “”
  • GET /mod/glossary/TODO.txt “”
  • GET /lib/typo3/unidata/SpecialCasing.txt “”
  • HEAD / “”
  • GET /index.php “”
  • GET /surf-net/forum/default.asp “”
  • GET /management “”
  • GET /pix/s/SMILEYS “”
  • GET /html/common/null.html “”
  • GET /html/sound/mail/new_mail_1.wav “”
  • GET /libraries/transformations/README “”
  • GET /Documentation.txt “”
  • GET /translators.html “”
  • GET /scripts/remove_control_m.sh “”
  • GET /lang/remove_message.sh “”
  • GET /phpMyAdmin/CREDITS “”
  • GET /phpMyAdmin/TODO “”
  • GET /pub/TWiki/TWikiDocGraphics/TWikiDocGraphics_13x11_video.psd “”
  • POST /primefaces/javax.faces.resource/dynamiccontent.properties.xhtml “”
  • GET /decorators/wwloader.vmd “”
  • GET /decorators/panels/basicpanel.vmd “”
  • GET /decorators/components/pagecomments.vmd “”
  • GET /3rdparty/plugins/onyx-rss/todo “”
  • GET /_async/AsyncResponseServiceSoap12Https “”
  • GET /actions/countusers.php “”
  • POST /_async/AsyncResponseServiceSoap12Https “”
  • GET /lib/safehtml/license.txt “”
  • GET /lib/Text_Highlighter/README “”
  • GET /misc/umtrans.pl “”
  • GET /lang/bg.php “”
  • GET /javascript/callbacks/checksave.php “”
  • GET /e107_files/misc/null.txt “”

Is there anything that i missed or unaware to setup?

I have a ticket #2003523 which has just been (auto?) closed by the bot.

Any help would be greatly appreciated.

Thank you

You said you’ve made a Firewall rule (ip.src in {64.39.0.0/16}) , if you are convinced that it’s not working, do you mind posting a screenshot of the exact firewall rule you have made? Do you have any other Firewall Rules listed above it?

I’ve never had an issue with Firewall rules “not working”, so it’s very likely that you have misconfigured something

Firewall Rule

IP Rule

I forgot to mention that those are the only rules I have.

I did try replacing the rule with only allow access from certain IP and I couldn’t access my site from other IP, so it should have confirmed that it should works and have connected properly, shouldn’t it?

I’m not familiar with CIDR. Do I understand correctly that 64.39.0.0/16 will block all IP that start with 64.39.x.x?

This topic was automatically closed after 30 days. New replies are no longer allowed.