[HELP] Spamming my /dologin.php and Cloudflare doesn't stop them anymore

Hello,

I’ve a big problem. i Bought Cloudflare firewall cause 3 months ago i was getting visitor spam on my WHMCS dologin.php path… i added a captcha, but still doesn’t work… so i added Cloudflare and i mitigated the attack.
Now… i don’t know how, but they are bypassing my Cloudflare. i’m getting again 100% CPU usage , they are spamming on www.mydomain.info/billing/dologin.php and website is crashing every minute.
i also cannot block their IP manually cause they are changing IP every action. I don’t know now how to fix… i solved by adding Cloudflare…but now…

They have your IP address. Change it, keep it secret and set a firewall on your server to drop all incoming traffic except from CF network.

@Xaq they’re getting jsChallenge but it doesn’t stop them

i added a captcha

So you set jsChallenge and see their fingerprint in firewall log?

They are using a browser like as client. Change jsChallenge to Captcha is a workaround until you find more patterns to use in firewall.

@Xaq look screenshot, if i block that IP they change it again 5 minutes and again… the same story

Cattura.JPG1532×773 103 KB

what can i do to solve?

that’s my firewall rule:

Cattura2.JPG1524×757 74.8 KB

This is why it is called a DDoS. You should analyze the details and find patterns for example in URL they are requesting or in User-Agent, although that is not always possible.

@Xaq i’m not an expert on this sector, can i add you on skype or maybe can we talk in private ? i need someone that can fix that :\

I’m not an authorized CF staff (just a user as you) and you should not trust random people. From your story I can tell attacker(s) are serious to conduct a layer 7 attack with ability to bypass jsChallenge (that needs more resources) against you, so ask from support and they may provide such service.

@Xaq meh i’m pretty new here, how can i contact them directly? everything redirect me to this community :\

login to your account and click on this link.

do you think that if i change VPS IP and i can resolve that? and i’ll show delete MX record? that’s how they can see my IP?

Cattura.JPG1573×652 78.5 KB

Yes. MX record reveals your IP indirectly (attackers find out you are using myiptvitalia.info and ask it for your IP, the same as CF does).

You may want to add the lower() function to your rule, so that:

http.host eq "example.com"

becomes

lower(http.host) eq "example.com"

This will avoid that they bypass the rule by requesting EXAMPLE.COM.

Also, that IP is from an ISP from South Africa. If that is not part of your site’s main market, you may want to add a Block rule for countries (check every IP that has been added to this attack and check their country). If it is a part of your main market, than use Challenge:

(ip.geoip.country in {"ZA" "UA"}) then Challenge.

A better alternative, if your market is mostly local, would be to challenge every country except your own:

(ip.geoip.country ne "IT" and not cf.client.bot)

As @Xaq said, it’s important to find patterns that identify the botnet behind the attack, and act accordingly.

This topic was automatically closed after 30 days. New replies are no longer allowed.