Botnet - Captcha Protect doesn't work properly

firewall
bug

#1

Hello,

my site is under attack for a week. I enabled captcha challenge for every country code. but still the attackers (bots) can go through to my website. how is that possible ? I tried setup testcookie & recaptcha for nginx but I can’t solve this attack. the attackers using layer7 method for attacking my website.

Im using cloudflare free plan. why cloudflare doesn’t protect us ?

I think the attacker using proxy for IP spoof every IP adress does two request I can’t rate limit this. please help me.

nginx access log file.

38.121.155.127 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43440 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" "138.121.155.127"
103.241.227.108 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36" "103.241.227.108"
89.38.97.65 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0" "89.38.97.65"
185.139.68.154 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43440 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" "185.139.68.154"
241.200.239.225 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US" "241.200.239.225"
100.24.54.138 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" "100.24.54.138"
192.207.200.252 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1)" "192.207.200.252"
95.65.1.200 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Linux; Android 7.1.1; G8231 Build/41.2.A.0.219; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Mobile Safari/537.36" "95.65.1.200"
139.5.71.220 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1)" "139.5.71.220"
68.183.152.170 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36" "68.183.152.170"
139.5.71.233 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US" "139.5.71.233"
191.189.73.51 - - [19/Jan/2019:19:26:30 +0000] "GET / HTTP/1.1" 200 984 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "191.189.73.51"
93.41.192.228 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)" "93.41.192.228"
185.139.68.154 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" "185.139.68.154"
62.201.220.50 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43430 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" "62.201.220.50"
252.232.32.94 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US" "252.232.32.94"
77.120.40.54 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/5.0 (Linux; Android 7.1.1; G8231 Build/41.2.A.0.219; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Mobile Safari/537.36" "77.120.40.54"
192.207.200.252 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43439 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1)" "192.207.200.252"
95.0.235.61 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/5.0 (Linux; Android 5.1; AFTS Build/LMY47O) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/41.99900.2250.0242 Safari/537.36" "95.0.235.61"
191.102.104.34 - - [19/Jan/2019:19:26:31 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" "191.102.104.34"
209.33.120.66 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0" "209.33.120.66"
81.161.196.5 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US" "81.161.196.5"
200.216.227.141 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43442 "-" "Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36" "200.216.227.141"
241.224.235.112 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)" "241.224.235.112"
81.162.195.215 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1" "81.162.195.215"
81.162.195.215 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1" "81.162.195.215"
243.74.93.40 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0" "243.74.93.40"
147.91.111.130 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43440 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0" "147.91.111.130"
91.227.183.222 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (CrKey armv7l 1.5.16041) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.0 Safari/537.36" "91.227.183.222"
109.86.199.155 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43429 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0" "109.86.199.155"
41.162.76.170 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" "41.162.76.170"
35.183.230.83 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43439 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" "35.183.230.83"
176.123.129.14 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43440 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0" "176.123.129.14"
194.213.212.57 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1)" "194.213.212.57"
185.199.87.235 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43440 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" "185.199.87.235"
68.183.179.243 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43440 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" "68.183.179.243"
240.187.54.149 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43429 "-" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36" "240.187.54.149"
170.245.59.250 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43429 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" "170.245.59.250"
78.61.157.167 - - [19/Jan/2019:19:26:32 +0000] "GET / HTTP/1.1" 200 43441 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0" "78.61.157.167"

#2

Whats your domain? The requests come from a variety of countries, some you seem to challenge but I couldnt find all of them in your list. At this point it might be best to enabled “I’m Under Attack” in the firewall settings for the time being.

However, there might be a chance they circumvent Cloudflare and access your server directly. Are you rewriting IP address in Nginx? I noticed you extended your log format, as there is a second IP address at the end of the log line, which appears to match the first entry. Where do you take that value from?


#3

My domain is : https://kisalt.xyz/
I enabled captcha for theese countries and I didn’t post full access.log file.Im already enabled “I’m Under Attack” Mode but still bad request coming to my server and I closed every port only cloudflare ip range allowed to access my 443 and 80 and other ports. they can’t access direct ip adress. they are bypassing challenge mode somehow but I don’t know :frowning:


country codes - challenge mode enabled
AF
AX
AL
DZ
AS
AD
AO
AI
AQ
AG
AR
AM
AW
AU
AT
AZ
BS
BH
BD
BB
BY
BE
BZ
BJ
BM
BT
BO
BQ
BA
BW
BV
BR
IO
BN
BG
BF
BI
KH
CM
CA
CV
KY
CF
TD
CL
CN
CX
CC
CO
KM
CG
CD
CK
CR
CI
HR
CU
CW
CY
CZ
DK
DJ
DM
DO
EC
EG
SV
GQ
ER
EE
ET
FK
FO
FJ
FI
FR
GF
PF
TF
GA
GM
GE
DE
GH
GI
GR
GL
GD
GP
GU
GT
GG
GN
GW
GY
HT
HM
VA
HN
HK
HU
IS
IN
ID
IR
IQ
IE
IM
IL
IT
JM
JP
JE
JO
KZ
KE
KI
KP
KR
KW
KG
LA
LV
LB
LS
LR
LY
LI
LT
LU
MO
MK
MG
MW
MY
MV
ML
MT
MH
MQ
MR
MU
YT
MX
FM
MD
MC
MN
ME
MS
MA
MZ
MM
NA
NR
NP
NL
NC
NZ
NI
NE
NG
NU
NF
MP
NO
OM
PK
PW
PS
PA
PG
PY
PE
PH
PN
PL
PT
PR
QA
RE
RO
RU
RW
BL
SH
KN
LC
MF
PM
VC
WS
SM
ST
SA
SN
RS
SC
SL
SG
SX
SK
SI
SB
SO
ZA
GS
SS
ES
LK
SD
SR
SJ
SZ
SE
CH
SY
TW
TJ
TZ
TH
TL
TG
TK
TO
TT
TN
TR
TM
TC
TV
UG
UA
AE
GB
US
UM
UY
UZ
VU
VE
VN
VG
VI
WF
EH
YE
ZM
ZW
XX


#4

You dont seem to have “Under Attack” mode enabled, but you manually captcha challenged countries. Most crawlers cant bypass a JavaScript challenge, let alone a captcha one. If they actually bypass it there should be someone who actually solves these captchas.

I ran a quick check and could not find your origin’s IP address but that does not mean someone else might not have got it in some other way and still goes for your server. However you said you blocked everything but Cloudflare, so that shouldnt be the issue either. My first step would be to verify that it really is blocked.

I presume you wouldnt want to post your IP address publicly here, but you can run a check with your IP address at sitemeer.com and tell me at what time you ran it, so I can fetch it run further checks.


#5

I was able to bypass Cloudflare challenge on your domain using a Tor browser. Tor connections are assigned country code “T1”, which is not on your list, so unless you have other rules in place, such as a Firewall Rule using Threat Level, Tor connections may not be challenged. Please add country code “T1” to your challenge list and see if that helps blocking these visitors. (Of course I can’t say whether all your log’s IPs are coming from Tor)


#6

What do you mean by “bypass”? You got a captcha? In that case T1 should be already configured.


#7

I got to his website page (which has its own captcha) without being stopped by Cloudflare’s captcha. I tried several browsers, before and after, was stopped by Cloudflare on all occasions, except when using the Onion Browser.


#8

All right, so there was no Cloudflare security at all on Tor, right?

In that case T1 should be add too, even though I’d generally advise against the chosen approach anyhow. Better start with “Under Attack” and decide how to continue from there on.


#9

Well, I was surprised to learn this recently, as I was (and still am) refining my Firewall Rules and one bot came from country T1, of which I had never known.

The issue with Tor is that, while many evil actors may be hiding behind it, it is also used by journalists, opposition politicians etc in repressive regimes to avoid detection of their internet behavior, so Cloudflare is actually right in not considering Tor a threat by default (as it used to, if I’m not mistaken). It’s up to each website admin to decide what to do with Tor.


#10

I wouldnt consider Tor a threat either. It is certainly a more “exotic” type of traffic but can be absolutely legitimate.


#11

http://sitemeer.com/ 02:41 - my ip is : 51.15.23*.***


#12


added tor thanks. gonna see Im waiting for attacks. :blush:


#13

Got that, but that test alone already showed your server is actually reachable from outside of Cloudflare as well. So the most likely explanation at this point is these requests bypass Cloudflare.


#14

what if someone really solving captchas how can I protect against them ? because I added my own captcha protect and they are still bypassing that. and no I closed firewall for testing purpose normally only cloudflare can access my direct ip but currently Im working on something. I disabled that because of that.

If you want I can close again and test again…


#15

At this point I would not worry about anybody solving captchas yet.

First make sure your server can only be reached by Cloudflare. Then check if the request flood stops. If it does not, enable “Under Attack” and check again. At that point it should have stopped. If it still hasn’t you need to analyse the situation more thoroughly.


#17

Block all ip addresses on the server except those of Cloudflare and only allow request that have a Cf_uid or a header of cloudflare incl. the challenge.


closed #18

This topic was automatically closed after 30 days. New replies are no longer allowed.