Cloudflare.com - DDoS Malware Target(443:https)

Hi!

I have a site where bots are registered in large numbers from the specified ip-addresses and even the registration form on the site does not help. The form on the site is created by hand.
After analyzing these IP addresses through the site https://www.abuseipdb.com/check/78.154.178.22 and https://www.abuseipdb.com/check/162.158.166.189, it turned out that these addresses belong to CloudFlare:

ISP: CloudFlare Inc.
Usage Type: Content Delivery Network
Domain Name: cloudflare.com
Country: Singapore
City: Singapore, Singapore

In the report about these ip-addresses, you can see that there are users who complain about DDOS from these addresses.

Details:
cloudflare.com - DDoS Malware Target (443:https)

There are several hundred registrations on the site in a short period of time.

Could you elaborate?

1 Like

Edited the first post

Those users are 99.99% likely to be Cloudflare customers who don’t realize that all proxied (:orange:) traffic comes through Cloudflare IP addresses.

Is your site part of a Cloudflare account?

1 Like

Yes, my site is a CloudFlare account

There were massive fake registrations from these IP addresses yesterday and today:

Summary

108.162.219.120
108.162.219.14
108.162.219.162
108.162.219.206
108.162.219.242
108.162.219.48
108.162.219.56
108.162.229.100
108.162.229.108
108.162.229.36
141.101.68.32
141.101.68.46
141.101.68.58
141.101.69.15
141.101.69.215
141.101.69.31
141.101.69.63
141.101.69.75
141.101.69.91
141.101.98.212
141.101.98.240
141.101.99.197
141.101.99.23
141.101.99.231
141.101.99.27
162.158.114.138
162.158.114.146
162.158.114.52
162.158.154.211
162.158.154.213
162.158.154.235
162.158.154.237
162.158.154.25
162.158.154.27
162.158.154.79
162.158.154.81
162.158.155.152
162.158.155.154
162.158.158.139
162.158.158.161
162.158.158.233
162.158.159.48
162.158.159.98
162.158.227.162
162.158.62.117
162.158.62.127
162.158.62.147
162.158.62.15
162.158.62.187
162.158.62.199
162.158.62.43
162.158.62.97
162.158.63.106
162.158.63.116
162.158.63.160
162.158.63.190
162.158.63.42
162.158.63.46
162.158.63.56
162.158.63.74
162.158.63.92
162.158.63.96
172.68.182.30
172.68.238.120
172.68.238.122
172.68.238.132
172.68.238.142
172.68.239.127
172.68.239.137
172.68.239.139
172.68.239.37
172.68.50.100
172.68.50.102
172.68.50.244
172.68.50.48
172.68.50.50
172.68.50.56
172.68.63.113
172.68.88.130
173.245.52.115
173.245.52.181
173.245.52.193
173.245.52.211

You need to configure your server to restore the actual IP addresses of your visitors.

3 Likes

Thanks for the advice

1 Like

After configuring nginx according to this instruction, I get an error on the site: 403 Forbidden

In your /etc/nginx/nginx.conf, if not, add or modify it to look like this and you will have the real IP addresses in your access and error log files (if enabled):

http {

    map $remote_addr $ip_anonym1 {
    default 0.0.0;
    "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
    "~(?P<ip>[^:]+:[^:]+):" $ip;
    }

    map $remote_addr $ip_anonym2 {
    default .0;
    "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
    "~(?P<ip>[^:]+:[^:]+):" ::;
    }

    map $ip_anonym1$ip_anonym2 $ip_anonymized {
    default 0.0.0.0;
    "~(?P<ip>.*)" $ip;
    }

    log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent"';


    # CloudFlare
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;

    real_ip_header CF-Connecting-IP;
    # real_ip_header X-Forwarded-For;


# other stuff continue ..


} # close the http block

Also, in your iptables (ipv4) and ip6tables (ipv6):

Could it be some DNS amplification? :thinking: :roll_eyes:

I still get the error: 403 Forbidden

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.