Hello! I noticed some strange thing that looks like a bug. To be able to visit my site users must complete captcha challenge first (and I’m sure my firewall settings correct) and it works fine but today my site was under attack and attackers somehow bypass captcha challenge. I attach a screenshot (here is logs for only 1 IP from many thousands) where we can see that cloudflare blocks these requests because the attacker has to complete captcha but… these requests somehow reach my server! I checked nginx logs and I can see the same requests from the same IP at the same time? How is it possible? How do they bypass captcha callenge? I also have to notice that it’s 100% requests through the cloudflare because my iptables rules allow requests only from cloudflare.
Thats a peculiarity of the firewall event log. It still shows requests as challenged, even if had long passed the challenge. In this case it might be the first request was manually solved and all subsequent requests used that very same challenge session.
Thank you for the reply but there were about 2000 unique IPs, and I think it’s impossible to solve captcha for all of them…
Your screenshot only showed one IP address. So you have 2000 IP addresses on you Cloudflare event log and they all reached your server? Keep in mind, they even show up if they dont reach your server.
That’s Digital Ocean same happended to me, In my case I simply blocked DigitalOcean ASN since DigitalOcean doesn’t offer internet connection to end user and also they don´t host any known bot or something
Information for IP address: 18.104.22.168
First IP 22.214.171.124
Last IP 126.96.36.199
AS Number 14061
AS Country code US
AS Description DIGITALOCEAN-ASN - DigitalOcean, LLC
So don´t block Isolated IP block the DigitalOcean ASN if you block singapur for example the it will come from another country but from the same ASN of DigitalOcean
Yes, I block such ASNs after attacks like that (but it’s not the only ASN that was used for that attack). I just don’t understand how they bypass captcha…