How to block a simple GET HTTP attack?

Hi,
I have some simple HTTP attacks such as many GET on page coming from different IPs.

  1. is there a way to block IPs like 141.101.69.* instead of adding them manually ?

  2. Is there a rule to block IPs that hits more than 3 times a second the same url ?

Any other useful rules to block that simple HTTP attack ?

108.162.229.45 - - [25/Sep/2020:09:28:14 +0000] “GET /chat HTTP/1.1” 200 31244 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36”
141.101.69.112 - - [25/Sep/2020:09:28:14 +0000] “GET /chat HTTP/1.1” 200 31247 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
108.162.229.9 - - [25/Sep/2020:09:28:14 +0000] “GET /chat HTTP/1.1” 200 31245 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36”
108.162.229.123 - - [25/Sep/2020:09:28:14 +0000] “GET /chat HTTP/1.1” 200 31243 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.28 Safari/537.36”
108.162.229.245 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 403 421 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
141.101.69.92 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31244 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36”
141.101.69.112 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31244 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36”
141.101.69.92 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31247 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
108.162.229.45 - - [25/Sep/2020:09:28:02 +0000] “GET /chat HTTP/1.1” 200 31242 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.28 Safari/537.36”
141.101.69.150 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31245 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36”
108.162.229.245 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 403 421 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
141.101.69.222 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31249 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
141.101.69.222 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31244 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.28 Safari/537.36”
108.162.229.245 - - [25/Sep/2020:09:28:14 +0000] “GET /chat HTTP/1.1” 200 31245 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36”
108.162.229.245 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 403 421 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
141.101.69.202 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31249 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
141.101.69.112 - - [25/Sep/2020:09:27:40 +0000] “GET /chat HTTP/1.1” 200 31244 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.28 Safari/537.36”
108.162.229.245 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 403 421 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
108.162.229.245 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 403 421 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36”
108.162.229.123 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31248 “-” “Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Mobile Safari/537.36”
108.162.229.95 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 403 421 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36”
141.101.69.112 - - [25/Sep/2020:09:28:15 +0000] “GET /chat HTTP/1.1” 200 31246 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36”
141.101.69.150 - - [25/Sep/2020:09:28:09 +0000] “GET /chat HTTP/1.1” 200 31243 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.28 Safari/537.36”

Please keep in mind that those are actually the IPs of Cloudflare:

You’d need to check the CF-Connecting-IP header to get the real visitor IP or use one of Cloudflares addons:

Also, for rate limiting, you could use something like a custom implementation or Cloudflares Rate Limiting feature:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.