Help! Blocked because of IPS Attack?

Been seeing this error for a couple of days on a (free) Cloudflare site. Web host points to ISP, ISP points to Cloudflare, I have no idea. It seems to happen intermittently, sometimes on all pages of the site, sometimes just one or two, sometimes it’s fine on Chrome but not Safari or Firefox and vice versa.

The URL is in the attached screenshot.

The web host (network solutions) suggests that it’s malware and recommend sitelock for $200/month. Really?

I deleted the entire site from the server and re-published so I don’t think it’s malware, but I have no idea what to do next. CF is in Developer Mode at the moment, if that matters.

Thank you for any suggestions.

2 Likes

That message is not generated by Cloudflare. Nobody else is claiming responsibility for it? Judging from an Internet search, it’s most likely coming from your ISP (or corprorate network).

2 Likes

Thanks for your reply. My ISP (Verizon) says it has nothing to do with them, as it is apparently also showing up for users of other ISPs as well. The web host is not exactly denying responsibility, but they have no solution other than to buy Sitelock. Which of course comes with no guarantees.

Is there any setting in Cloudflare which might mitigate this attack or at least provide more information?

That’s a guilty look.

Without knowing what that message really means, I don’t think there’s anything Cloudflare can do. I suspect that your host thinks traffic from Cloudflare is suspicious because it all comes from a limited set of IP addresses. In this case, there’s nothing Cloudflare can do when your host blocks traffic.

Haha, agreed. But it doesn’t seem like anything the host is doing intentionally, that they can turn on and turn off. I’ll call them again tomorrow. Thanks for your help.

2 Likes

I seem to be having the same issue as you. Also with Network solutions that appears to have started today. They refuse to even look at the situation saying that cloudflare is hosting the nameserver. Have you had any luck?

Hi, Justin.

No luck at all. I started with NetSol who sent me to Verizon (ISP) who sent me to Cloudflare. Tomorrow I will start all over at NetSol. It’s helpful to know that mine is not the only site there with this issue.

They seemed to believe that my site is infected with some vague malware and offered me a subscription to Sitelock that might or might not fix it. They said that they don’t have a team dealing with security issues, they have delegated it to the Sitelock software.

I might temporarily restore the NetSol DNS to see whether that in fact addresses the issue. I would be surprised if it does. Then I’ll have SSL issues instead!

Good luck!

That message looks like it is coming from a FortiGate device. Somebody in the path is running one.

If you pause Cloudflare, does the issue persist?

If it does, then the issue is definitely with your hosting provider.

If the issue goes away, I can think of two potential causes. The first is that Cloudflare are inserting that message, but that is not the case. The second is that your hosting provider is blocking traffic from Cloudflares network.

2 Likes

@sdayman You were right about the web host. The error message has been slightly modified and seems to me to indicate that Network Solutions (part of web.com) is in fact responsible.

I’m sorry, I don’t know what FortiGate is. I’ll try to look into the other issues, thank you.

1 Like

I am also experiencing the exact same problem, and “pausing” as well as purging the cache of the cloudflare site will fix issue. Enabling the cloudflare site will cause this problem to return, so I am in the fence of who is actually at fault (cloudflare or networksolutions)?

It’s definitely Network Solutions. They now have a Tier 1 team looking at this as they have many clients impacted. I have a ticket # and hope to hear from them tomorrow. Good luck.

2 Likes

@bonnietessler - thanks for the update, and please provide an update on this issue once you get a response from NetworkSolutions on your ticket. I have also opened a ticket with NetworkSolutions, and waiting for their update / response to this issue.

Wow, can’t believe I found you two having the exact same issue as we are. In my experimentation, if I put the site in Development Mode, I’m able to get the site working. Otherwise, we are having this issue, even after purging cache. It also appears to be different depending on where in the world the site is being loaded. A developer in Europe gets most of the site and has access to the back end whereas the client in the US can barely use the site at all.

I too have submitted a ticket with Network Solutions. I have to say that they have been incredibly terrible at answering tickets but they are great on the phone. I just got off the phone with them (well, Web.com) and they said that everything looks perfect on their end. The support tech hadn’t ever seen Cloudflare proxying the IP address before so I’m not sure how much he knew about Cloudflare CDNs but he didn’t notice any attacks or anything awry on his end. Additionally, when a DoS attack happens on a Network Solutions site, this page does not show; he was unfamiliar with the text and said the error should look differently if it’s coming from their servers. What was also unhelpful was their support tech was unable to replicate the issue.

So that means this has to be on the Cloudflare side because when I enable development mode, the site works perfectly, and Network Solutions neither has this error page when there are issues with their servers nor do they detect any issues on their end.

Yes it’s puzzling about development mode but I think when I disable that I lose my CF SSL so the site doesn’t work for that reason.

Had a long call with NetSol this morning. Turns out they are also having a Wordpress specific issue and were very confused that my site isn’t WP. Finally after speaking to an engineer the customer service representative was able to locate my issue and learned that it is widespread and there is a global team from netsol working on it.

The original error message is slightly modified to refer explicitly to a DoS attack. I provided my IP address as requested and hopefully they now have the right people on the right issue now.

1 Like

Did you check the TLS configuration and what protocol does it have?

image

@bonnietessler and @user8145 - thanks for your feedback on this issue, which does appear to me (no confirmation from either NetSol or CloudFlare) that NetSol is flagging traffic from CloudFlare as DoS attack, and their security system/infrastructure is causing our problem(s). Yes, enabling developer mode or pausing the CloudFlare site will remove one of the nice features (SSL) offered by CloudFlare, and could break your site / site functionality. Hopefully NetSol will solve and address this problem quickly - on my side I am fortunate that my site(s) can continue to operate without CloudFlare, but it will be great when all is working as before (leveraging all the good features/functionality offered by CF).

Dev Mode only disables optimization (Cache, minification, Rocket Loader, and other static resources). Not security, so you still have SSL, Firewall, etc.

@sdayman - in my case I had to disable the CF site…the problem was still existing when only enabling developer mode, and thanks for confirming that developer mode only disables optimization, but all other features are still active.

Do you think the issue will go away if we. Switch to a different web host?

Is your WordPress sending or being used as a DDoS so they put CHMOD rules or blocked ingress/egress traffic to your Website/Web server?
If so, they should clean it up first … then you could add measures to secure and protect your Website, and then if already not, point to Cloudflare to protect from for example DDoS.
Not vice-versa, to protect you while your Website is being used as DDoS service too alongside with others in their network?