I think I have a poorly written firewall rule, and I am unsure how to correct it. The rule is intended to block trafic from two specific hosts;
(http.host contains “secureserver.net”) or (http.host contains “vultr.com”)
There is generally a prefix prior to the hostmane in the hack attempts.
A sample complete host name is a2plcpnl0867.prod.iad2.secureserver.net, but the first string often changes.
http.host is the request for the host name on your side (so this would let you write a rule based on sundowns in being accessed).
I’m not clear if there are any rules that work on reverse DNS, but I would actually be slightly surprised as reverse DNS is not available in real-time during a request (it can be, but DNS isn’t always instant, and reverse DNS can’t be pre-cached). Maybe with workers?
http.host is your hostname (domain). If you’re trying to block everyone from secureserver.net or vultr.com, you should use an AS number instead.
You’re getting traffic FROM godaddy (
Yep. It appears to be a single, very motivated individual. They have had no luck, but I would obviously like to shut them down.
You should probably alert godaddy about their malicious actions.
Thank you for that advice. I just wrote an ASN block rule. We’ll see if that stops my “friend.”
This topic was automatically closed after 14 days. New replies are no longer allowed.