Hostname rule question

I think I have a poorly written firewall rule, and I am unsure how to correct it. The rule is intended to block trafic from two specific hosts;

(http.host contains “secureserver.net”) or (http.host contains “vultr.com”)

There is generally a prefix prior to the hostmane in the hack attempts.

A sample complete host name is a2plcpnl0867.prod.iad2.secureserver.net, but the first string often changes.

Suggestions?

Thanks!

Chris

http.host is the request for the host name on your side (so this would let you write a rule based on sundowns in being accessed).

I’m not clear if there are any rules that work on reverse DNS, but I would actually be slightly surprised as reverse DNS is not available in real-time during a request (it can be, but DNS isn’t always instant, and reverse DNS can’t be pre-cached). Maybe with workers?

http.host is your hostname (domain). If you’re trying to block everyone from secureserver.net or vultr.com, you should use an AS number instead.

https://www.ultratools.com/tools/asnInfo

1 Like

You’re getting traffic FROM godaddy (secureserver.net) ?

Yep. It appears to be a single, very motivated individual. They have had no luck, but I would obviously like to shut them down.

You should probably alert godaddy about their malicious actions.

Thank you for that advice. I just wrote an ASN block rule. We’ll see if that stops my “friend.”

1 Like