Blocking abusive 162.158.0.0/16 shuts down cloudflare?

Wow
After a slew of ntp 123 attacks along with 162.158.0.0/16 I blocked them both and now cloudflare can’t seem to forward a person to my site.
Interesting.

*sorry for the mistype…fixed it now 162.158…

Which block is it now? 162.158 or 162.168?

The latter is not a Cloudflare address block. The former is and if you block it, you certainly block Cloudflare too.

Using the following example

$ sudo iptables -A INPUT -s 162.158.4.0/24 -j DROP

To block 162.158.. addresses:

$ sudo iptables -A INPUT -s 162.158.0.0/16 -j DROP

To block 162...* addresses:

$ sudo iptables -A INPUT -s 162.0.0.0/8 -j DROP

This is how the internet told me to block so I used /16 instead of /15

Ehm, this is now a completely different address block once again.

Can you clarify which block you actually mean?

You mean to tell me that out of all the IPv4

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22

taking down one range
attack takes down everything?

Right now I was able to revive the 108.x.x.x cf but that’s it (162.158.
x.x is still blocked for good reason)

Not everything, but possibly a lot. If you use Cloudflare you must not block these addresses.

Should I send you a slew of my logs (no kidding, 162.158,.x,.x was all there was and it was off the hook with nefarious activity…but still not allowing anything through to my server) Here, I’ll unblock and take a screenshot for your amusment…be right back

Hah! as soon as I ublock I can’t even do hardly anything on the net

Sorry but as soon as I unblock it the world falls through or else I’d have a better screenshot for you…right now you see the 108x trying to take it’s place (but ntp 123 is still blocked)

It is unlikely that these requests come from Cloudflare. Keep in mind NTP runs on UDP where you can “easily” fake source addresses.

If you are absolutely sure that it comes from Cloudflare you might want to contact support, however you should not block them as you otherwise - well, block them :wink:

If you must, block UDP requests, but not TCP ones.

no it’s not coming from cloudflare (but cloudflare is not allowing all it’s ipv4 addresses to service my site

The attacks are coming from amazonaws, googleusercontent, akamai, etc. and only the one cloudflare block was servicing me 162.158.0.0/16 (or 15)

I am really not sure what you are saying or what the issue is.

Nowhere in your screenshot is a 162 address to begin with.

Okay, I’ll just copy over some of the logs to clarify, yes, I know it’s now 108.x. but that ipv4 just recently came out of hiding (like i said only one was 162.158xx was seen using etherape) so whatever slew hogged that down left me on an island of no service.

Here, try this, it was taken earlier yesterday

This is a small version of what came through here (seriously small) 162.158 was all there was and there was zillions of them (my site was unreachable for hours just look back about a day ago leading up to today)

sudo iptables -A INPUT -s 162.158.0.0/16 -j DROP
sudo iptables -A FORWARD -s 162.158.0.0/16 -j DROP
sudo iptables -A OUTPUT -s 162.158.0.0/16 -j DROP

after doing this I was able to go to my site but it was super-slow because it was the only block cf was giving me…so I changed my dns to opendns and was able to see the site for awhile until ntp 123 marched in with akamai and googleusercontent and …

These are most likely faked UDP packets with Cloudflare’s address. You can still clarify it with Cloudflare’s support but that’s something your network provider or its upstream provider would have to block.

For now you should block UDP requests.

Thanks sandro, will it be okay if i block udp in the modem/router combo unit instead of the server?

LOL…I blocked udp from the router/modem combo and nothing worked (not google or bing or my site) but apparently akamai, and amzonaws were still coming in at large).

Incoming UDP from that network range. If you block all UDP you block DNS too.

":wink: yes

If you only block UDP from that network range, everything else should still work but NTP requests should get dropped. Though we are a bit off-topic now as that is rather network administration at this point.

You can always contact Cloudflare too, but it is rather unlikely that any of these requests come from them. These servers do not handle NTP, let alone send you an avalanche of such requests.


I’ll try now (my site is touch and go now…one second it works but takes eons then it doesn’t work)…I’ve had to replace a server to no avail because I thought it was at this end

That means you blocked TCP as well.