DDOS from China Botnet

Hello. My site wotcheats.ru has been DDOS from China for 2 days.
Security Service please look.
It looks like a botnet. 1.8K IP addresses

kitaec

I turned on China for the country - challenge.
But he didn’t calm down and began to give DDOS even more

UserAgent:
Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0
Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3
Mozilla/5.0 (Linux; Android 7.0; FRD-AL00 Build/HUAWEIFRD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.49 Mobile MQQBrowser/6.2 TBS/043602 Safari/537.36 MicroMessenger/6.5.16.1120 NetType/WIFI Language/zh_CN
Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36

Maybe try using CF Firewall rules for instance

(http.host eq "yourdomain.com" and ip.geoip.country eq "CN" and not cf.client.bot and cf.threat_score gt 10 and cf.threat_score lt 51)

requests to yourdomain.com from China and not known CF good bots with threat score between 10 and 51 could get a challange page

or combine with user agent matching/containing = Chrome/4 or Chrome/5 be challenged too as there’s no reason an Android device would be using such old Chrome browser versions Chrome 4* or 5*.

Then have separate rules for blocking when threat score is greater than or equal to 51

Examples I have for China, Pakistan and Russia

2 Likes

Thank. Probably better ip.geoip.country eq “CN” and http.user_agent contains “Android”
I just want the Cloudflare to see what it is. And other users did not find themselves in this situation.
Very aggressive bots or is it a botnet.

I have a threat score, but all IP addresses from China pass it.

Day 4…
I had to turn on the Challenge
JS Challenge did not block all IP addresses

1 Like

BotNet testing new use agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0

60.191.38.77 - Probably one of the main botnet servers

mirai botnet…

1 Like

New User Agent:
Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN

It looks like this botnet is owned by Silk Road. But thanks to cloudflare and a lot of experience, to spit on them.
Only it is unclear whether they clog the channel for the site itself.

To Day 1.09k DDOS Ip

42.236.10.125 - Probably one of the main botnet servers or ip for testing user agents.

Already 1.35K DDOS IPs…

5 day … Everything is as before.

rekord

It is today. Thanks to the cloudflare.com, we will not be destroyed.

1 Like

It started as we talked about hidden anti-cheat and telemetry in the game world of tanks: https://wotcheats.ru/index.php?topic=265.0

We think this attack was ordered.
Our site makes cool mods for the game worldoftanks.
We are independent and make news from our point of view for the game of world of tanks, so we were ordered for a lot of money.

crazy

Morning….

Tonight, the DDoS has stopped …
But we are on the alert.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.