Block list of ips

#1

Hi,

Recently we got ddos by a bot net of over 4000 machines via http GET/POST request. I managed to check the http logs and found the ips of botnets. About 4000 Ips.

Is there anyway i can block this ip quickly on cloudflare?

Thanks

#2

You can script an API routine to add them. The tricky part is deleting them later. If you add a “note” to the block, your API deletion script can search for that note keyword and delete each match one by one.

https://api.cloudflare.com/#user-level-firewall-access-rule-create-access-rule

#3

Thanks, i dont plan to remove them from banning as they clearly botnet.

I already output the ips to a badip.txt like this:
tail badip.txt
96.9.86.170
96.9.87.2
96.9.88.47
97.75.124.126
97.79.174.222
97.92.111.244
98.100.194.171
98.172.141.125
98.172.142.6
99.100.78.207

Beside using API, is there another quick to quicky add the whole list of IPs to block list?
Thanks

#4

Sorry, you can’t batch add them from the Dashboard.

#5

i see, i will try using api as you mentioned.

Thanks for your help and have a nice weekend ;))

1 Like
#6

btw, do you happen to have an example api script handy? so i can modify to fit my case?

Thanks

#7

Sorry, I don’t. I’m sure someone has something workable that loops through entries in a text file. Maybe @Matteo has something.

#8

If you have ips in a text file (each line one ip) named ips.txt you can run following bash script as: ./block.sh ips.txt

Content of block.sh (set variables section before using):

#!/usr/bin/env bash

# >>>>>>>>>>>>>>>>>>>>>>>> Variables >>>>>>>>>>>>>>>>>>>>>>>>
zones="myzone"
email="[email protected]"
authkey="AuthKey"
id="id"
org_name="My Organization"
notes="Mass Block"
# <<<<<<<<<<<<<<<<<<<<<<<< Variables <<<<<<<<<<<<<<<<<<<<<<<<

count=0

for ip in `cat "$1"`; do
  curl -sSX POST "https://api.cloudflare.com/client/v4/zones/$zones/firewall/access_rules/rules" \
    -H "X-Auth-Email: $email" \
    -H "X-Auth-Key: $authkey" \
    -H "Content-Type: application/json" \
    –data "{\"mode\":\"block\",\"scope\":{\"id\":\"$id\",\"name\":\"$org_name\",\"type\":\"organization\"},\"configuration\":{\"target\":\"ip\",\"value\":\"$ip\"},\"notes\":\"$notes\"}" ;

  ((count++))
  echo "$count. blocked: $ip"
done

echo
echo `tput setaf 3`Total of $count IPs blocked.`tput sgr0`
3 Likes
#9

awesome, thanks alot

3 Likes
#10

I wouldn’t have had anything, thanks @Xaq!

1 Like