We’re being attacked from different IP addresses with bad URLs, flooding the site metrics with 404 errors. The requests are formatted something like: /papers/c3BhY2UtdH
What steps have you taken to resolve the issue?
I’ve located and banned 7 IPs so far, but they’ve moved onto new IP addresses and new strings. (If they kept the same strings, I would create redirects for them and dump them to another site to get better metrics, but they are changing the URL stringss).
What methods are available to block these going forward? if anything?
I’d consider checking the details by clicking on each of the Security Events to determine from which ASN the attacks are comming.
Therefrom, would create a list and block the whole ASN them at Security → WAF → Tools → IP Access Rules.
Have you got any other Custom Rules for WAF as well active for protection?
How about other settings such as Browser Integrity Check, Bot Fight Mode, etc.?
If I may add here as a really good reference for further cases in terms of security and protection with Cloudflare:
Nevertheless, consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:
You’re on HTTP? I’d reconsider this and make sure I am using HTTPS.
Thanks for the reply. I need to be a bit careful, as there are quite a few subdomains, so I don’t want to break the other sites. I’m creating a “honeypot” site to try redirecting the ~20 URLs they’ve used so far, so perhaps I can collect data on these specifically.
I will look through those other articles and see what else I need to add to get this under control.
I did make the bot fight settings more strict, but will try one stage at a time.
Just block, don’t bother with that and don’t handle those request at the origin, leverage Cloudflare’s systems to protect. Keep monitoring and take care
It would be easier if the subdomain was broken out on Cloudflare… I might have to look at that if this gets worse. I cranked up the bot rules some more, will see what it looks like in the morning.
Like a working one, but not the real one to which the request would be going to the origin?
Sure, you can play and experiment with it
Create a new DNS record such as A ssh or A gitlab, pointed to the temporary IP address like 192.0.2.1 and proxied .
I bet you’d see quite a lot of requests coming in, from which you could do a research, track & trace, monitor and block particular ASN, create Custom Rules for WAF, improve existing ones and more
Your IP address is not pointed to Cloudflare for your main domain, so Cloudflare is just providing DNS services. None of their other features apply. Read the link @fritex provided along with all getting started guides if you are interested in using Cloudflare protections to protect your website.
At the moment, it’s only a proxy, and I’m not on an enterprise plan just yet, though I’m planning to explore that option soon.
From my testing last night, it seems like I could potentially block some of these requests by improving user agent detection, but that would also be part of an enterprise solution.
I’m still trying to understand why the attacker keeps targeting that one malformed URL, especially since they’re hammering it repeatedly.