Excessive jump in traffic to my error page


#1

Pages to my website have the following address:

https://www.example.com/category/page1.html


If part of the link is missing visitors get redirected to the error page.

Checking my Google Analytic, I notice an excessive jump in traffic to my error page, and it shows that the previous pages are for example:

https://www.example.com/category/dish.com


Why am I getting those links? nowhere on my site have those links.

Should I make any changes to the .htaccess to redirect somewhere else?

Any ideas what is the problem and how to resolve it will be much appreciated.

Thank you

** Someone recommended checking my raw log files, but because CloudFlare I think the IP I get are from Cloudflare

****I would like to include more examples but this “Community Program” didn’t let me do it.


#2

Probably bots or crawlers doing some foo.
Have a look at your raw logs, seroiusly. Maybe you can find some suspicious user agents.

You can also restore the origin IP.

https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs


#3

Nothing I can see on the raw logs.

Do you know any step-by-step on how restore visitors IP address? I’m not using any bulletin boards or Wordpress.

I wish CloudFlare had an input on this problem or help me block the bot


#4

Just watch the blog article. There are how-to’s for all common web servers, forums and CMS


#5

Back again with the same problem. After many attempts, I still can’t figure out how to stop this. I check raw logs and besides a 2-3 IP excessively hitting the site, I still can’t fix the problem.

Is there any way for CloudFlare to stop them? how come CloudFlare have no support for issues like this one?


#6

HTTP referer header seems to be spoofed by attacker. Ban those 2-3 IPs.


#7

I have already block those IPs but the problem continues. I also created a firewall rule, but nothing the problem continues. Does CloudFlare have any support at all?


#8

Where did you block those IPs? (In CF firewall or your server’s firewall)


#9

Both actually, CF and htaccess file

Order Allow,Deny
Deny from 66.160.140.0/24
Allow from all


#10

htaccess is not a good place for blocking just based on IPs. Use your server’s firewall for that.

Since HTTP is based on TCP, and TCP starts with a handshake, it is impossible to spoof IP address over HTTP, so if you see the requests in your server log then either CF firewall is not working correctly or your own mechanism. I suspect the latter.

It seems you are using CF to protect your website from malicious requests and after migrating to CF the problem not resolved, so you added the htaccess rules to allow requests just from your own domain.

Then attacker found your mechanism of defense and spoofed the referrer header and bypassed your security.

CF firewall doesn’t help you in this case coz bad guys are connecting to your server directly and even with a correctly configured firewall, they can DDoS you with enough resources.


#11

This topic was automatically closed after 14 days. New replies are no longer allowed.