We had a bot probing our site for about 10 hours today (all manners of attempts). All told it was something like 600k requests were blocked before we added an IP block to stop them all (approaching 800k requests blocked now, but everything is blocked right now).
For comparison, yesterday we had 98k total requests to the site (only a few hundred tripped up any Firewall rules). Total we’re at about 1.2M requests total. Of that we have about 800k blocked, so I can estimate maybe 300k+ (bad bot) requests made it to our origin server.
My questions:
- This IP was blocked in some WAF rules automatically For example:
Is there a way to use this as a basis for initiating an IP block? If a single IP is triggering 10k SQL injection attempts (in total Managed rules blocked this IP 169k times today), it’s probably a bad guy… It seems like this should trip something that forces this IP to be blocked, or at a minimum to require a Challenge for some period.
-
I set up rate limiting today as a precaution. Is there a better way to handle this situation? This is another added cost, which although not massive, it will inch our CF bill higher still.
-
I also enabled today " Super Bot Fight Mode", but it sounds like this should not stay enabled long term? The only thing I enabled was the “Definitely Automated” to use a Managed Challenge. I left Verified bots set to Allow, and left Static resource protection and JS Detection disabled.