Blocking abusive 162.158.0.0/16 shuts down cloudflare?

Alternatively simply block all incoming UDP packets on port 123. But again, that is probably now better suited for StackExchange :slight_smile:

It looks like the attack is petering down…still dozens of connection but just for the record, I already was at stackexchange and twice on the phone with the monopoly provider…I think it was stackexchange where I learned the 162.x.x.x/8 162.x.x./16 162.x.x.x /24 format

now that I unblocked 162.158.x.x. there’s hardly any hint of them (mostly now 172 and 108 cf blocks (bout time)

For IPv4 addresses anything between /0 and /32 is possible -> https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

Anyhow, you probably don’t even need to block the specific network range, you can also block all incoming UDP packets on port 123. That would block NTP, but that might be less of an issue than an apparent denial of service.

Thanks sandro for your input. It appears to be simmering down (still why can’t any of the cloudflare blocks other than the initial 162.158.x.x come to the rescue? And even now there is only starting to grow into 141, 108, and hmmmm…that’s it)

p.s. it wasn’t just an ntp attack

I’m all done here now and will now think about a rest , a cigarette, a shower, a …

cya

Might be a good time to ask your ISP if they have any MANRS.

But it can’t be the internet provider unless they are blocking all the cloudflare ip addressess I accept (except for one, 162.158.x.x)

I did try calling the internet provider though (hoping they could throttle the 162.158 .x.x. down), I still think there has to be something amiss with cloudflare because out of all these ip blocks you are telling me I could only get one?

i.e.

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22

Oh you know the routine:

Yes maam, I was wondering if you could kindly take a look at the activity on my ip address right now?

Answer No I don’t know how to do that

Me: is there somebody there that can?

Hold on I’ll check (eternal hold)

Stops back to tell me that she put her feelers out but doesn’t look like there’s a way to mitigate any huge amount of sudden myriads of hits

Me: So if I and you have an agreement that you pay me for water and I give you poisoned water, how would that sit with you?

phhhttt…waste of an hour of my life with the monopoly (as typical with any of the remaining players at the ip monopoly board). Check out their ratings in google.

Okay but as stated it wasn’t just ntp (I mentioned other stuff right?), such as this tiny list:

I say it’s tiny because in all, I think there was more than 20 protocols and I don’t even know how many “unknowns”
simultaneously…even now my site is hog-tied but I don’t care because I’m going to work on something else (my dad down in florida has a server with some frog-name company and he offered to host it there for me as a ditto-copy)

As I said, it is rather unlikely these requests come from Cloudflare. Maybe you want to clarify this with support, but I don’t think this will be remotely Cloudflare related. Either these are faked requests or there is some issue with your own or your provider’s network.

Sandro, I understand what you are saying about the logs showing 162.158.x.x as faked but cloudflare has other blocks and none of those were anywhere to be seen for hours:

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22

So even if the 162.158.x.x was spoofed where were the others to ensure that my site was still accessible?

All I’m saying is that something else happened beyond what has been the norm. This is why I began to want to see true ip addresses (and by seeing the true ip addresses all I got was my ip address and a few from bing and then whammo, nothing but 162.158.x.x and a few 108.x.x.x

I am not sure what you mean by that.

But as I said originally, you cannot block that address range. If you do you certain datacentres simply won’t reach you any more.

At this point I would suggest you block all incoming packets from that address except for TCP 80 and 443.

Well it petered out…now the site is accessible without delay…dunno. My site has some pretty bad stuff on it (I recorded conversations with the ip providers and then there’s the cop here in town that raped and drugged the girl and I put him on blast on my site…other stuff too)…my guess is that something else is happening. They must have went to bed so I guess I’ll see what happens later on.

Okay, I’m not going to write anymore about this…promise.

For my own records, and to clarify, my server ONLY accepts visitors provided they first go through cloudflare. All of cloudflare’s ip blocks are added within the config file of the server and the .htaccess. The fact that one abusive block, 162.158.x.x (the only one that was apparently mated to service my site since no other cf blocks were seen nor recorded in the logs should put to rest that I am not the cause (my actions were after the attack started obviously). Whereas I simply was stopping the aggressor and no other party was present (no other cloudflare ip addresses were present). I’m merely including this comment for my screenshot records since it was stated several times on here that I am at issue. In other words, if I pull out a gun and start shooting and your usual body guards are suddenly not present, you cannot state that it was your fault for shutting the door on me … WHERE WAS THE BODY GUARDS? ':wink: