Cloudflare.com - DDoS Malware Target(443:https)

Hi!

I have a site where bots are registered in large numbers from the specified ip-addresses and even the registration form on the site does not help. The form on the site is created by hand.
After analyzing these IP addresses through the site 78.154.178.22 | EuroTransTelecom Ltd | AbuseIPDB and 162.158.166.189 | CloudFlare Inc. | AbuseIPDB, it turned out that these addresses belong to Cloudflare:

ISP: Cloudflare Inc.
Usage Type: Content Delivery Network
Domain Name: cloudflare.com
Country: Singapore
City: Singapore, Singapore

In the report about these ip-addresses, you can see that there are users who complain about DDOS from these addresses.

Details:
cloudflare.com - DDoS Malware Target (443:https)

There are several hundred registrations on the site in a short period of time.

Could you elaborate?

Edited the first post

Those users are 99.99% likely to be Cloudflare customers who don’t realize that all proxied () traffic comes through Cloudflare IP addresses.

Is your site part of a Cloudflare account?

Yes, my site is a CloudFlare account

There were massive fake registrations from these IP addresses yesterday and today:

You need to configure your server to restore the actual IP addresses of your visitors.

https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-logging-visitor-IP-addresses

Thanks for the advice

After configuring nginx according to this instruction, I get an error on the site: 403 Forbidden

In your /etc/nginx/nginx.conf, if not, add or modify it to look like this and you will have the real IP addresses in your access and error log files (if enabled):

http {

    map $remote_addr $ip_anonym1 {
    default 0.0.0;
    "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
    "~(?P<ip>[^:]+:[^:]+):" $ip;
    }

    map $remote_addr $ip_anonym2 {
    default .0;
    "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
    "~(?P<ip>[^:]+:[^:]+):" ::;
    }

    map $ip_anonym1$ip_anonym2 $ip_anonymized {
    default 0.0.0.0;
    "~(?P<ip>.*)" $ip;
    }

    log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent"';


    # CloudFlare
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;

    real_ip_header CF-Connecting-IP;
    # real_ip_header X-Forwarded-For;


# other stuff continue ..


} # close the http block

Also, in your iptables (ipv4) and ip6tables (ipv6):
https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

Could it be some DNS amplification?

I still get the error: 403 Forbidden

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.