Cloudflare under attack mode used to work but today it stops working

Website, Application, Performance Security
1

My domain name is healingthedivide.cc and presently it is suffering from massive ping attacks from (freshpingbots).

It used to block off 100% of the attacks. Today all ■■■■ breaks lose. This is the log file on my ubuntu server.

image
image746×504 88.8 KB

I specially went to the firewall part to filter it (I did not use to need to do that at all).

Images not allowed to upload for new users.

2

Regardless of whether you’re being protected or not, if this attack consists only on the kind of requests you shared, then you can create a WAF rule selecting the condition “User Agent” equals (+https://freshping.io/) and action Block.

3

I have that rule, but it still does not work. This forum does not allow a new user like me to attach multiple screenshots.

Please help.

4

Try changing the operator from equals to contains and only matching this value:

freshping

5

I did that too, but simply cannot. I also have rules to stop IP address, but cannot.

The problem is that it obviously blocks part of the traffic, but not all. Why?

Could the attack be via my true IP address and not Cloudflare ip address?

6

Probably

7

If so, what do I do?!

8

This is my present log

2.42.49.200 - - [12/Jul/2022:19:22:02 +0000] “GET / HTTP/1.0” 500 3082 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
35.173.69.86 - - [12/Jul/2022:19:22:02 +0000] “GET / HTTP/1.0” 500 3082 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
52.42.49.200 - - [12/Jul/2022:19:22:03 +0000] “GET / HTTP/1.0” 500 3082 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
52.42.49.200 - - [12/Jul/2022:19:22:00 +0000] “GET / HTTP/1.0” 301 317 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
52.42.49.200 - - [12/Jul/2022:19:21:58 +0000] “GET / HTTP/1.0” 301 585 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
52.42.49.200 - - [12/Jul/2022:19:22:02 +0000] “GET / HTTP/1.0” 500 3082 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
35.173.69.86 - - [12/Jul/2022:19:21:58 +0000] “GET / HTTP/1.0” 301 585 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
52.42.49.200 - - [12/Jul/2022:19:22:03 +0000] “GET / HTTP/1.0” 500 3082 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
52.42.49.200 - - [12/Jul/2022:19:21:59 +0000] “GET / HTTP/1.0” 301 585 “-” “FreshpingBot/1.0 (+https://freshping.io/)”
52.42.49.200 - - [12/Jul/2022:19:22:03 +0000] “GET / HTTP/1.0” 500 2883 “-” “FreshpingBot/1.0 (+https://freshping.io/)”

9

image
image1091×825 47.9 KB

10
1 Like
11

image
image1091×825 59 KB

12

root@node:/var/log/apache2/domains# iptables -A INPUT -p tcp --dport http,https -j DROP
iptables v1.6.1: invalid port/service http,https' specified Try iptables -h’ or ‘iptables --help’ for more information.
root@node:/var/log/apache2/domains# iptables -A INPUT -p tcp --dport http,https -j DROP
iptables v1.6.1: invalid port/service http,https' specified Try iptables -h’ or ‘iptables --help’ for more information.
root@node:/var/log/apache2/domains#

13

Since the log shows IP addresses not from Cloudflare, does it mean the attack comes from people who knows my real IP address?

14

I notice this

To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare IP addresses at your origin web server.

Is there a simple iptables script I can execute or you would tell me the list of Cloudflare address

15

I tried a legit access from my own computer

165.173.4.145 - - [12/Jul/2022:19:34:07 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.0” 200 809 “https://” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36”

the log shows my real home address, but not Cloudflare address. How do I get this working?

16

There is a link to the Cloudflare IP addresses in the Cloudflare Docs article @jnperamo shared earlier.

17

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.