Cloudflare doesn't block a bot

#1

I don’t know what to do! Some bot constantly attacking a check out form on my website.

I setup firewall rules to block any user with threat rank above 10. But it just doesn’t do anything. Literally there is no firewall events. I’m getting 4 messages per minute from this checkout form, and cloudflare just don’t see it.

0 Likes

#2

Are you sure these requests actually go via Cloudflare and do not hit your server directly?

Can you post a screenshot of your firewall rules and a log excerpt of the requests in question?

0 Likes

#3

Sure! Here is the screenshot of my firewall rule which blocks any user with threat rank above 10.

I’m sorry I cannot find log excerpt of the requests. Maybe it’s because my english is bad (it’s not my native language). Where can I find them?

0 Likes

#4

In your log files. And you also need to check the first point I addressed.

0 Likes

#5

First, I just want to say thank you for helping me!
I think I understood you. Here are my logs. Looks bad. But how can I check the first point you addressed?

1 Like

#6

Cant tell, these might be just regular requests. One thing you immediately notice is you are not rewriting IP addresses, so Cloudflare’s proxy addresses show up. Assuming you have control over the server you might want to configure mod_remoteip.

However, if these are the requests you are referring to (and there isnt anything else), it would seem as if the requests came via Cloudflare.

1 Like

#7

Just to check if this is not being triggered, or if its just that the attacker has a threat score you’d expect to be higher have you tried just quickly setting it to block on <11 and seeing if that stops the attacks?

If it does stop them then we know that for some reason this aggressor is not being deemed ‘bad’ by Cloudflare (i.e. has threat score 10 or less), if it doesn’t stop anything then we know for some reason your rule isn’t being triggered at all (and we’d have to look into why).

Personally I always include the ‘Request Method’ so you could also try including that (for GET and POST). I’ve never tested a rule which is just a threat score so whilst that should work, maybe it doesn’t…

0 Likes

#8

Man, thank you for your answer I’ll try to do that immediatly.

0 Likes

#9

So the 172.68.239.205 IP you are seeing belongs to Cloudflare and not the visitors real IP’s.
See this guide.

0 Likes

#10

It’s a good idea but, unfortunately, my hosting provider doesn’t allow users to have control over server. So this isn’t an option for me. Do I really need to know all the original IP’s to block the attack?

0 Likes

#11

If you block all of Cloudflare’s IP’s, you won’t get any traffic.

0 Likes

#12

You dont need to know the addresses, but it helps. If your provider does not support that, it is not an option anyhow though.

The question still is whether these requests all come via Cloudflare or not. Can you check if all IP addresses in your log file are Cloudflare ones?

0 Likes

#13

You mean, I need to know the original IP’s to block them manually via .htaccess file? I’ve tried it before using cloudflare. IP changes immediatly after it gets blocked.

0 Likes

#14

Ok. I will now check all the IP’s.

0 Likes

#15

The image above was the origin log and all the same Cloudflare IP’s. Since you have Wordpress, do you also run WordFence?
If you do go to WordFence > All Options and select Cloudflare. Also check the Cloudflare Firewall logs and make sure you’re not accidentally blocking the Cloudflare IP’s

1 Like

#16

It’s better to block bad visitors at the Cloudflare Firewall so they don’t get to the origin but you need to know the right IP. You can also make Clouflare Firewall rules to block bad bots/people who are trying to access areas like wp-admin etc.

0 Likes

#17

I just checked all thi IP’s that were in the logs dureing the attack.
Almost all of them are cloudflare IP’s except this one on the screenshot.

So what do I need to do with that?

0 Likes

#18

I installed wordfence, did what you told. Still see cloudflare IP’s in logs.(

0 Likes

#19

Go in to the Wordfence logs. If you’ve selected “Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare” in All Options, you the vistors IP and User agent there.
Once you find what are actual bad actors, go back to the Cloudflare Tools https://dash.cloudflare.com/firewall/tools and block IP’s, Ranges, Country or AS.
You can also create Firewall rules https://dash.cloudflare.com/firewall/firewall-rules to block traffic from restricted areas.

1 Like

#20

I’ve tried your method. It blocks the attackers, I can see it in the cloudflare firewall log. So I think cloudflare thinks it’s good visitor actions.

0 Likes