How to block a broad spectrum vulnerability probe but keep good bots like Google, Yahoo, Bing?


#1

We see some bad IP addresses that will ping us say 2-5 times a second for HOURS, trying to find a vulnerability. For example, it will in the same second send POST requests to uuu.php, sss.php, 1.php, 2.php, core.php, qaz.php, core.php, sha.php, ppx.php, config.php, config1.php. Basically throwing the kitchen sink at our server.

Or maybe this is a DDoS attack that is just trying to overwhelm our server with meaningless requests?

How do we block these requests?

It has been going on for days and Cloudflare does not block it.

One option we’ve considered is setting a WAF rule (we have the Enterprise plan) to block any visitor who sends requests more than say 3x in a second. If so, is there an easy way to still allow legitimate search indexing from Google, Bing and Yahoo?


#2

Can you post a few server log entries of those requests?


#3

Yes. Here is a sample from our server log.
It’s all 1 IP address hitting us thousands of times.
ReverseIP lookup shows the IP address belongs to the netname of “TencentCloud” in China.
Cloudflare isn’t blocking it.

119.27.166.152 - - [06/Nov/2018:05:44:53 -0500] “PROPFIND / HTTP/1.1” 301 531 “-” “-”
119.27.166.152 - - [06/Nov/2018:05:44:54 -0500] “GET /webdav/ HTTP/1.1” 301 545 “-” “Mozilla/5.0”
119.27.166.152 - - [06/Nov/2018:05:44:54 -0500] “GET /help.php HTTP/1.1” 301 584 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:57 -0500] “GET /java.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:57 -0500] “GET /query.php HTTP/1.1" 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:58 -0500] “GET /test.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:58 -0500] “GET /db_cts.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:44:58 -0500] “GET /db_pma.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:01 -0500] “GET /logon.php HTTP/1.1” 301 585 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:01 -0500] “GET /help-e.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:02 -0500] “GET /license.php HTTP/1.1” 301 589 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:03 -0500] “GET /log.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:05 -0500] “GET /hell.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:05 -0500] “GET /pmd_online.php HTTP/1.1” 301 595 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:06 -0500] “GET /x.php HTTP/1.1” 301 577 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:09 -0500] “GET /shell.php HTTP/1.1” 301 585 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:09 -0500] “GET /htdocs.php HTTP/1.1” 301 587 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:10 -0500] “GET /desktop.ini.php HTTP/1.1” 301 597 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:10 -0500] “GET /z.php HTTP/1.1” 301 577 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:11 -0500] “GET /lala.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:13 -0500] “GET /lala-dpr.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:13 -0500] “GET /wpo.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:14 -0500] “GET /text.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:14 -0500] “GET /wp-config.php HTTP/1.1” 301 593 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:16 -0500] “GET /muhstik.php HTTP/1.1” 301 589 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:17 -0500] “GET /muhstik2.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:17 -0500] “GET /muhstiks.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:18 -0500] “GET /muhstik-dpr.php HTTP/1.1” 301 597 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:18 -0500] “GET /lol.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:18 -0500] “GET /uploader.php HTTP/1.1” 301 591 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:19 -0500] “GET /cmd.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:21 -0500] “GET /cmx.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:21 -0500] “GET /cmv.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:22 -0500] “GET /cmdd.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:22 -0500] “GET /knal.php HTTP/1.1” 301 583 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:22 -0500] “GET /cmd.php HTTP/1.1” 301 581 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:25 -0500] “GET /shell.php HTTP/1.1” 301 585 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:25 -0500] “GET /appserv.php HTTP/1.1” 301 589 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:25 -0500] “GET /scripts/setup.php HTTP/1.1” 301 601 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:26 -0500] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 301 623 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:26 -0500] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 301 623 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:28 -0500] "GET /phpmyadmin/scripts/db
__.init.php HTTP/1.1” 301 633 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:29 -0500] “GET /phpMyAdmin/scripts/db___.init.php HTTP/1.1” 301 633 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:29 -0500] “GET /plugins/weathermap/editor.php HTTP/1.1” 301 625 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:29 -0500] “GET /cacti/plugins/weathermap/editor.php HTTP/1.1” 301 637 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)”
119.27.166.152 - - [06/Nov/2018:05:45:37 -0500] “POST /wuwu11.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:45:53 -0500] “POST /xw.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:46:04 -0500] “POST /xw1.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:13 -0500] “POST /xx.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:29 -0500] “POST /s.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:53 -0500] “POST /w.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:47:57 -0500] “POST /sheep.php HTTP/1.1” 301 585 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:48:09 -0500] “POST /qaq.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:48:38 -0500] “POST /db.init.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:49:17 -0500] “POST /db__.init.php HTTP/1.1” 301 594 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:49:26 -0500] “POST /wp-admins.php HTTP/1.1” 301 594 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:49:38 -0500] “POST /m.php?pbid=open HTTP/1.1” 301 598 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:06 -0500] “POST /db_desql.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:18 -0500] “POST /mx.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:35 -0500] “POST /wshell.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:42 -0500] “POST /xshell.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:45 -0500] “POST /qq.php HTTP/1.1” 301 579 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:51:49 -0500] “POST /conflg.php HTTP/1.1” 301 587 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:52:42 -0500] “POST /phpstudy.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:13 -0500] “POST /phpStudy.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:21 -0500] “POST /weixiao.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:37 -0500] “POST /feixiang.php HTTP/1.1” 301 592 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:53:58 -0500] “POST /ak47.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:10 -0500] “POST /ak48.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:21 -0500] “POST /xiao.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:32 -0500] “POST /yao.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:42 -0500] “POST /defect.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:54:53 -0500] “POST /webslee.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:04 -0500] “POST /q.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:34 -0500] “POST /pe.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:45 -0500] “POST /hm.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:55:53 -0500] “POST /cainiao.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:56:05 -0500] “POST /zuoshou.php HTTP/1.1” 301 590 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:56:47 -0500] “POST /aotu.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:57:06 -0500] “POST /cmd.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:57:22 -0500] “POST /bak.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:57:38 -0500] “POST /system.php HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:01 -0500] “POST /l6.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:12 -0500] “POST /l7.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:24 -0500] “POST /l8.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:35 -0500] “POST /q.php HTTP/1.1” 301 578 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:46 -0500] “POST /56.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:58:56 -0500] “POST /mz.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:22 -0500] “POST /yumo.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:25 -0500] “POST /min.php HTTP/1.1” 301 581 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:26 -0500] “POST /wan.php HTTP/1.1” 301 581 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:05:59:41 -0500] “POST /wanan.php HTTP/1.1” 301 586 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:00:18 -0500] “POST /ssaa.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:00:38 -0500] “POST /qq.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:01:25 -0500] “POST /12.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:01:42 -0500] “POST /hh.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:01 -0500] “POST /ip.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:12 -0500] “POST /infoo.php HTTP/1.1” 301 586 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:24 -0500] “POST /qq.php HTTP/1.1” 301 580 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:35 -0500] “POST /qwe.php HTTP/1.1” 301 582 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”
119.27.166.152 - - [06/Nov/2018:06:02:44 -0500] “POST /1213.php HTTP/1.1” 301 584 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/31.0”


#4

You can just block that IP or AS45090 If you don’t do business in China.

https://www.abuseipdb.com/whois/119.27.166.152


#5

In this case I’d simply block that specific IP address.


#7

Thanks for the advice!

Yes, we’ve now blocked that IP address.

We’ve also blocked all traffic from China and India.

But the IP addresses doing similar attacks change day-to-day.

For instance today it is 2605:9880:400:68:225:90ff:fe47:aadc. That’s in Florida in the US. Another is 172.56.22.180 in Washington State in the US.

Does Cloudflare have an automated way of recognizing these sort of attacks, no matter which IP address, and blocking them? Otherwise we have to recognize that our server is slow, then search our server access logs, then block them in Cloudflare. It’s like it’s 1999.


#8

In that case an IP or country block is relatively pointless.

Alternatively you could block by user agent for example. In this case neither Firefox 31 nor IE 8 are really common anymore.


#9

Agreed and also with the OP of blocking after x amount of 404s


#10

How do you set up a rule in Cloudflare to block after x number of 404s? The 404s are given by our server, not Cloudflare. How would Cloudflare know that our server is returning 404s?


#11

That would have to be a server side firewall.


#12

This topic was automatically closed after 30 days. New replies are no longer allowed.