How should I deal with 404 error attacks?

What is the name of the domain?

csps.aerospace.org

What is the issue you’re encountering

We’re being attacked from different IP addresses with bad URLs, flooding the site metrics with 404 errors. The requests are formatted something like: /papers/c3BhY2UtdH

What steps have you taken to resolve the issue?

I’ve located and banned 7 IPs so far, but they’ve moved onto new IP addresses and new strings. (If they kept the same strings, I would create redirects for them and dump them to another site to get better metrics, but they are changing the URL stringss).

What methods are available to block these going forward? if anything?

What is the current SSL/TLS setting?

Off

1 Like

I’d consider checking the details by clicking on each of the Security Events to determine from which ASN the attacks are comming.

Therefrom, would create a list and block the whole ASN them at Security → WAF → Tools → IP Access Rules.

Have you got any other Custom Rules for WAF as well active for protection?
How about other settings such as Browser Integrity Check, Bot Fight Mode, etc.?

If I may add here as a really good reference for further cases in terms of security and protection with Cloudflare:

Nevertheless, consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:

You’re on HTTP? I’d reconsider this and make sure I am using HTTPS.

3 Likes

Thanks for the reply. I need to be a bit careful, as there are quite a few subdomains, so I don’t want to break the other sites. I’m creating a “honeypot” site to try redirecting the ~20 URLs they’ve used so far, so perhaps I can collect data on these specifically.

I will look through those other articles and see what else I need to add to get this under control.

I did make the bot fight settings more strict, but will try one stage at a time.

SSL is on… :smiley:

2 Likes

Just block, don’t bother with that and don’t handle those request at the origin, leverage Cloudflare’s systems to protect. Keep monitoring and take care :wink:

I agree and understand.

1 Like

It would be easier if the subdomain was broken out on Cloudflare… I might have to look at that if this gets worse. I cranked up the bot rules some more, will see what it looks like in the morning.

Like a working one, but not the real one to which the request would be going to the origin? :smiley: :thinking:

Sure, you can play and experiment with it :slight_smile:

Create a new DNS record such as A ssh or A gitlab, pointed to the temporary IP address like 192.0.2.1 and proxied :orange: .

I bet you’d see quite a lot of requests coming in, from which you could do a research, track & trace, monitor and block particular ASN, create Custom Rules for WAF, improve existing ones and more :wink:

1 Like

Your IP address is not pointed to Cloudflare for your main domain, so Cloudflare is just providing DNS services. None of their other features apply. Read the link @fritex provided along with all getting started guides if you are interested in using Cloudflare protections to protect your website.

2 Likes

It is, but it’s proxy only, and I’m not on an enterprise account (yet). Going to look into that.

From my test last night I can probably block some of these with better user agent detection, but that’s enterprise as well. :smiley:

I’m still curious as to why the attacker tries that sort of malformed URL… and hits the same one over and over again.

1 Like

csps.aerospace.org resolves to a Fastly IP address as does the root domain. Cloudflare security features will not apply to either host.

A post was split to a new topic: Cannot access sites from Russia

At the moment, it’s only a proxy, and I’m not on an enterprise plan just yet, though I’m planning to explore that option soon.

From my testing last night, it seems like I could potentially block some of these requests by improving user agent detection, but that would also be part of an enterprise solution.

I’m still trying to understand why the attacker keeps targeting that one malformed URL, especially since they’re hammering it repeatedly.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.