I check Access Log and see some line attack ddos:
2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=15077 HTTP/2.0" 200 87776 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=2941 HTTP/2.0" 200 87776 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)"
2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=6984 HTTP/2.0" 200 87776 "-" "Googlebot/2.1 (http://www.googlebot.com/bot.html)"
2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=2100 HTTP/2.0" 200 439029 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)"```
And how to block user have "//?=" in Firewall Rule?
Depending on how you have your logging configured that IP
2001:ee0:53d0:6670:d3a:41af:e74:6cfb is not Cloudflare. If you haven’t modified your web server to log
cf-connecting-ip then that log line implies that
2001:ee0:53d0:6670:d3a:41af:e74:6cfb is coming to your server directly and hence not via the Cloudflare firewall.
First thing to check is make sure your server is only accessible by the Cloudflare IPs:
Alternatively you can also use Cloudflare Tunnels to further secure things and then drop any/all incoming connections:
Once it’s confirmed you are secured behind Cloudflare - you can then look at the Firewall rules.
i want it auto block if contain “//?=”
If you use it your way, it can only block 1 IP, can’t be automated
I wasn’t suggesting you block the IP - but pointing out this traffic could be coming to your server directly and ignoring your Cloudflare Firewall rules. It’s important to make sure your origin isn’t accepting traffic from non-Cloudflare sources otherwise attackers can hit your server directly - read protect your origin for more.
If you haven’t created a Firewall rule yet - I checked internally and a request with a double slash like
//?= will be normalised by our service into
/?= as per:
You could create a normal URI Firewall Rule to block
/?= if you’re happy to block both in the WAF like this:
If you want to block just
//?= then you would need to click
Edit expression and change the rule to use the
raw version of the field which will give you the URI before normalisation occurs:
(raw.http.request.uri contains "//?=")
These fields are all explained here:
If you want to block just
XXXX is digits of unknown length you would need to use a regular expression which gets more complex:
(http.request.uri matches "//\?=[0-9]+")
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.