How to block a broad spectrum vulnerability probe but keep good bots like Google, Yahoo, Bing?

Scott_Developer · November 7, 2018, 12:50pm

We see some bad IP addresses that will ping us say 2-5 times a second for HOURS, trying to find a vulnerability. For example, it will in the same second send POST requests to uuu.php, sss.php, 1.php, 2.php, core.php, qaz.php, core.php, sha.php, ppx.php, config.php, config1.php. Basically throwing the kitchen sink at our server.

Or maybe this is a DDoS attack that is just trying to overwhelm our server with meaningless requests?

How do we block these requests?

It has been going on for days and Cloudflare does not block it.

One option we’ve considered is setting a WAF rule (we have the Enterprise plan) to block any visitor who sends requests more than say 3x in a second. If so, is there an easy way to still allow legitimate search indexing from Google, Bing and Yahoo?

sandro · November 7, 2018, 12:53pm

Can you post a few server log entries of those requests?

Scott_Developer · November 7, 2018, 4:25pm

Yes. Here is a sample from our server log.
It’s all 1 IP address hitting us thousands of times.
ReverseIP lookup shows the IP address belongs to the netname of “TencentCloud” in China.
Cloudflare isn’t blocking it.

119.27.166.152 - - [06/Nov/2018:05:44:53 -0500] “PROPFIND / HTTP/1.1” 301 531 “-” “-”
119.27.166.152 - - [06/Nov/2018:05:44:54 -0500] “GET /webdav/ HTTP/1.1” 301 545 “-” “Mozilla/5.0”
119.27.166.152 - - [06/Nov/2018:05:44:54 -0500] “GET /help.php HTTP/1.1” 301 584 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:57 -0500] “GET /java.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:57 -0500] “GET /query.php HTTP/1.1" 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:58 -0500] “GET /test.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:58 -0500] “GET /db_cts.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:58 -0500] “GET /db_pma.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:01 -0500] “GET /logon.php HTTP/1.1” 301 585 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:01 -0500] “GET /help-e.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:02 -0500] “GET /license.php HTTP/1.1” 301 589 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:03 -0500] “GET /log.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:05 -0500] “GET /■■■■.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:05 -0500] “GET /pmd_online.php HTTP/1.1” 301 595 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:06 -0500] “GET /x.php HTTP/1.1” 301 577 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:09 -0500] “GET /shell.php HTTP/1.1” 301 585 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:09 -0500] “GET /htdocs.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:10 -0500] “GET /desktop.ini.php HTTP/1.1” 301 597 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:10 -0500] “GET /z.php HTTP/1.1” 301 577 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:11 -0500] “GET /lala.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:13 -0500] “GET /lala-dpr.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:13 -0500] “GET /wpo.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:14 -0500] “GET /text.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:14 -0500] “GET /wp-config.php HTTP/1.1” 301 593 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:16 -0500] “GET /muhstik.php HTTP/1.1” 301 589 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:17 -0500] “GET /muhstik2.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:17 -0500] “GET /muhstiks.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:18 -0500] “GET /muhstik-dpr.php HTTP/1.1” 301 597 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:18 -0500] “GET /lol.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:18 -0500] “GET /uploader.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:19 -0500] “GET /cmd.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:21 -0500] “GET /cmx.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:21 -0500] “GET /cmv.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:22 -0500] “GET /cmdd.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:22 -0500] “GET /knal.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:22 -0500] “GET /cmd.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:25 -0500] “GET /shell.php HTTP/1.1” 301 585 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:25 -0500] “GET /appserv.php HTTP/1.1” 301 589 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:25 -0500] “GET /scripts/setup.php HTTP/1.1” 301 601 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:26 -0500] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 301 623 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:26 -0500] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 301 623 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:28 -0500] "GET /phpmyadmin/scripts/db__.init.php HTTP/1.1” 301 633 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:29 -0500] “GET /phpMyAdmin/scripts/db___.init.php HTTP/1.1” 301 633 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:29 -0500] “GET /plugins/weathermap/editor.php HTTP/1.1” 301 625 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:29 -0500] “GET /cacti/plugins/weathermap/editor.php HTTP/1.1” 301 637 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:37 -0500] “POST /wuwu11.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:45:53 -0500] “POST /xw.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:46:04 -0500] “POST /xw1.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:13 -0500] “POST /xx.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:29 -0500] “POST /s.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:53 -0500] “POST /w.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:57 -0500] “POST /sheep.php HTTP/1.1” 301 585 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:48:09 -0500] “POST /qaq.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:48:38 -0500] “POST /db.init.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:49:17 -0500] “POST /db__.init.php HTTP/1.1” 301 594 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:49:26 -0500] “POST /wp-admins.php HTTP/1.1” 301 594 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:49:38 -0500] “POST /m.php?pbid=open HTTP/1.1” 301 598 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:06 -0500] “POST /db_desql.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:18 -0500] “POST /mx.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:35 -0500] “POST /wshell.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:42 -0500] “POST /xshell.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:45 -0500] “POST /qq.php HTTP/1.1” 301 579 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:49 -0500] “POST /conflg.php HTTP/1.1” 301 587 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:52:42 -0500] “POST /phpstudy.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:13 -0500] “POST /phpStudy.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:21 -0500] “POST /weixiao.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:37 -0500] “POST /feixiang.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:58 -0500] “POST /ak47.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:10 -0500] “POST /ak48.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:21 -0500] “POST /xiao.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:32 -0500] “POST /yao.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:42 -0500] “POST /defect.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:53 -0500] “POST /webslee.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:04 -0500] “POST /q.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:34 -0500] “POST /pe.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:45 -0500] “POST /hm.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:53 -0500] “POST /cainiao.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:56:05 -0500] “POST /zuoshou.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:56:47 -0500] “POST /aotu.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:57:06 -0500] “POST /cmd.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:57:22 -0500] “POST /bak.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:57:38 -0500] “POST /system.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:01 -0500] “POST /l6.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:12 -0500] “POST /l7.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:24 -0500] “POST /l8.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:35 -0500] “POST /q.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:46 -0500] “POST /56.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:56 -0500] “POST /mz.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:22 -0500] “POST /yumo.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:25 -0500] “POST /min.php HTTP/1.1” 301 581 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:26 -0500] “POST /wan.php HTTP/1.1” 301 581 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:41 -0500] “POST /wanan.php HTTP/1.1” 301 586 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:00:18 -0500] “POST /ssaa.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:00:38 -0500] “POST /qq.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:01:25 -0500] “POST /12.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:01:42 -0500] “POST /hh.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:01 -0500] “POST /ip.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:12 -0500] “POST /infoo.php HTTP/1.1” 301 586 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:24 -0500] “POST /qq.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:35 -0500] “POST /qwe.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:44 -0500] “POST /1213.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”

Withheld · November 7, 2018, 4:45pm

You can just block that IP or AS45090 If you don’t do business in China.

sandro · November 7, 2018, 4:49pm

In this case I’d simply block that specific IP address.

Scott_Developer · November 7, 2018, 5:05pm

Thanks for the advice!

Yes, we’ve now blocked that IP address.

We’ve also blocked all traffic from China and India.

But the IP addresses doing similar attacks change day-to-day.

For instance today it is 2605:9880:400:68:225:90ff:fe47:aadc. That’s in Florida in the US. Another is 172.56.22.180 in Washington State in the US.

Does Cloudflare have an automated way of recognizing these sort of attacks, no matter which IP address, and blocking them? Otherwise we have to recognize that our server is slow, then search our server access logs, then block them in Cloudflare. It’s like it’s 1999.

sandro · November 7, 2018, 5:07pm

In that case an IP or country block is relatively pointless.

Alternatively you could block by user agent for example. In this case neither Firefox 31 nor IE 8 are really common anymore.

Withheld · November 7, 2018, 5:33pm

Agreed and also with the OP of blocking after x amount of 404s

Scott_Developer · November 7, 2018, 7:04pm

How do you set up a rule in Cloudflare to block after x number of 404s? The 404s are given by our server, not Cloudflare. How would Cloudflare know that our server is returning 404s?

Withheld · November 7, 2018, 7:44pm

That would have to be a server side firewall.

system · December 7, 2018, 12:50pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare not preventing fake requests Security dash-troubleshooting	14	3072	August 23, 2019
Attack or scraping? - Newbie requests help with serious issue Security dash-getting-started , dash-troubleshooting	2	2795	March 26, 2018
Googlebot Runs Through Cloudflare IP Addresses? DNS & Network dns , dash-getting-started , dash-errors , dash-troubleshooting	43	6911	January 14, 2019
Whitelisting IPs General dash-getting-started	9	8466	June 18, 2021
500,000 requests by one IP address over 18-hr period. How can we prevent this? Security	5	2156	March 14, 2021

How to block a broad spectrum vulnerability probe but keep good bots like Google, Yahoo, Bing?

Related topics