My forum is being attacked. I blocked Hong Kong and China but some IP addresses were still able to register.
What is the current SSL/TLS setting?
Flexible
What are the steps to reproduce the issue?
Adding WAF to block Hong Kong and China (see attached screenshots). I did this yesterday and it was working, but it seems the attackers found a way to bypass this so today I received a lot of member registration from Hong Kong again. For example, the following IP addresses were not filtered out:
172.71.210.196
162.158.114.175
172.71.214.238
162.158.114.170
162.158.114.117
172.71.214.83
172.71.210.11
162.158.179.64
etc.
I have enabled the “Under attack” mode but would love to hear your advice.
Those are Cloudflare IP addresses from the proxy connecting to your origin. If you see those on your server you can restore visitor IPs to see the true visitor addresses…
Also ensure that your origin is only accessible through Cloudflare to prevent people bypassing it…
You should only use “Full (strict)” or your visitors’ connections are not secured between Cloudflare and your origin.
Thank you so much @sjr and @DarkDeviL for your help!
I’m going to put in place all the things you’ve suggested.
Initially I didn’t know what happened, so what I did is that I made the contents of my forum only accessible to registered members as a test (if you have a better idea please let me know). Then, as expected, there were a lot of registered members from Hong Kong. I can see the IP addresses from the member list (c.f. attached screenshot).
Thanks. This explains why I always saw “ISP: Cloudflare Inc. ; Services: Datacenter” in the IP lookup results. But does this also mean that the WAF rule that I set (blocking China and Hong Kong) was bad because I actually only blocked the Cloudflare datacenter in Hong Kong and not the true attackers?
It turns out that blocking Hong Kong was not effective. My forum keeps being attacked even though I:
Activated Under Attack Mode
Switched the SSL setting to “Full (strict)”
Thanks to the “restoring original visitor IPs” feature, I can now be able to see that all the IP addresses are actually from Vietnam. I’m quite impressed that they were able to bypass the Under Attack Mode to register about 30 accounts and scrape the website.
These IP addresses are from Cloudflare’s datacenter in Hong Kong (this was before I installed the “Restoring original visitor IPs” module), so yes they seem to connect through Cloudflare.
Cloudflare already blocked the majority of them I think (c.f. attached screenshot), but some of them went through still.
