My server has recently been hit very hard by a series of rotating IP addresses each night for the last week or two. The IP addresses change with every request, but they are always in the following pattern:
53.176.*.*, and 53.173.*.*.
I want to set up a CAPTCHA Callenge firewall rule for those IP ranges, but how can I properly notate them when I fill the form in my Firewall Rules?
Greetings,
I am sorry to hear you are experiencing an attack recently.
Thank you for asking.
As far as I know, I am afraid this is currently not possible.
May I suggest you to use IP range instead within the CIDR format notation.
Or block the whole network by detemining the AS number from the IPs (if you see them in Firewall Events) or by using some online tool:
That’s basically what I’m trying to do… but how do I notate the ranges appropriately when setting up the firewall rule?
Seems like they are from AS31399 - Daimler AG?
You can challenge each of the request by selecting AS Num from the drodown using “equals” operator and entering 31399.
Otherwise, if IP Source Address using “is in” operator, then entering the IP ranges by using the CIDR notation, for example like 53.176.50.1/24.
Weird – why would I be getting attacked from a car company’s network?
I’ll try the AS Num thing, thanks! Will see if those IPs appear in my access logs tomorrow.
Otherwise, if
IP Source Addressusing “is in” operator, then entering the IP ranges by using the CIDR notation, for example like53.176.50.1/24.
For CIDR notation, am I only able to use a “range” for the fourth section of the IP address, and not for the third section?
I am not sure.
Yep, it’s also weird they have 16mil IPs (nowadays for each car in their “AI self-driven” network maybe?) 
May I ask you to check below article to learn how to configure to log your visitor’s original IP address based on your origin web server type (including Apache, nginx, Microsoft IIS, and others) while using Cloudflare proxy 
:
Thanks for your help. I am also going to try this:
52.176.0.0/16 and 52.173.0.0/16
All together I should have things covered… Will update tomorrow if it happens again.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.