Firewall rules set to block Russia, but it's still showing a lot of requests

My website was getting attacked by a few countries which I’ve blocked using firewall rules and so far this has worked.
But yesterday I got almost 9 million requests from Russia, despite being blocked by that firewall rule I’ve set a few months ago.
I have no clue how they managed to do that, and it took my whole server down.
Is there anything else I need to do to get Russia blocked? Apparently someone managed to bypass my country-block firewall rule and I don’t know what else to do to get those requests blocked :confused:

Okay, all were blocked so far?

Did you analyzed the Firewall Events log and blocked them by the AS number?

  • Usually I see mail.ru, yandexbot, some VPNs, especially some probes to php/asp/env files if you have some sub-domains like git, gitlab, etc.

That sounds interesting.

That’s interesting.

Was your origin host / server IP exposed by the A mail / MX records so far?

Do you have some example of the requests?
Maybe you could try tunning and setting up your Firewall rules to not only blocking Country (Russia), rather in some combination like allow only port 80 and/or 443, or block HTTP/1.0 requests, or empty user-agents, or some strange and known user-agents like crawlers, bots, scanners, etc.

Kindly, I would suggest you looking into below two articles as they contain pretty enough useful information, linked official Cloudflare articles regarding DDoS protection and Security options and a bunch of a good practices including other posts for bad-bot, port access, etc. so far:

A full-on Block, or are you issuing a Challenge/CAPTCHA?

Where are you seeing this logged?

My daily avg for unique visitor is around 2.5k.
On oct. 25 I got 6k, enabled “under attack” mode and waited.
On oct. 26 I got almost 17k even with “under attack” mode active.
Around 60k requests daily, went to 18mi on 25, and 291.6mi on 26…
When I take a look at the map on analysis/traffic, I have 26 million requests from russia, another 26 million requests from india, 47 million requests from indonesia. And those three were supposed to be blocked by a firewall rule.
:confused:

Sure, Cloudflare is getting those requests, but is your server log showing tens of millions of requests getting through?

1 Like

Do you have any IP’s from Russia set to “Allow” or “Bypass” in your firewall rules? If so then that’s the cause, and you need to disable those rules. If not, then this might be a DDOS (Distributed Denial Of Service) attack! Do you see the IP’s come from 1 location (the same IP sending repeated requests in a short period of time)? Do you see traffic coming from similar IP’s in a short period of time? If either of these are true, you may be under a DDOS attack and should activate IUAM (I’m Under Attack Mode) from your Cloudflare dashboard! If it’s not a DDOS attack (and firewall rules aren’t the cause) then set your SSL/TLS security level to “High” to block any threatening visitors within the past 14 days!

This
I have “requests” like this daily, in the hundreds of thousands or more, from Australia, Argentina and Latvia specifically.
They never reach my server and are fully mitigated by CF.
I don’t see them as problem & just exclude them when looking at my stats.

You are right!
It was my mistake and they were not reaching my server.
That map was only “masking” the real source of the problem: a few million requests from great britain/vietnam/colombia.
Thanks a lot for the help everyone! :slight_smile:

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.