How to use Firewall Rule Block URL "GET //?=5332 HTTP/2.0"

I check Access Log and see some line attack ddos:

2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=15077 HTTP/2.0" 200 87776 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=2941 HTTP/2.0" 200 87776 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)"
2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=6984 HTTP/2.0" 200 87776 "-" "Googlebot/2.1 ("
2001:ee0:53d0:6670:d3a:41af:e74:6cfb - - [14/Jul/2022:13:13:59 +0700] "GET //?=2100 HTTP/2.0" 200 439029 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)"```

And how to block user have  "//?=" in Firewall Rule?

Depending on how you have your logging configured that IP 2001:ee0:53d0:6670:d3a:41af:e74:6cfb is not Cloudflare. If you haven’t modified your web server to log x-forward-for or cf-connecting-ip then that log line implies that 2001:ee0:53d0:6670:d3a:41af:e74:6cfb is coming to your server directly and hence not via the Cloudflare firewall.

First thing to check is make sure your server is only accessible by the Cloudflare IPs:

Alternatively you can also use Cloudflare Tunnels to further secure things and then drop any/all incoming connections:

Once it’s confirmed you are secured behind Cloudflare - you can then look at the Firewall rules.

i want it auto block if contain “//?=”

If you use it your way, it can only block 1 IP, can’t be automated

I wasn’t suggesting you block the IP - but pointing out this traffic could be coming to your server directly and ignoring your Cloudflare Firewall rules. It’s important to make sure your origin isn’t accepting traffic from non-Cloudflare sources otherwise attackers can hit your server directly - read protect your origin for more.

If you haven’t created a Firewall rule yet - I checked internally and a request with a double slash like //?= will be normalised by our service into /?= as per:

You could create a normal URI Firewall Rule to block /?= if you’re happy to block both in the WAF like this:

If you want to block just //?= then you would need to click Edit expression and change the rule to use the raw version of the field which will give you the URI before normalisation occurs:

(raw.http.request.uri contains "//?=")

These fields are all explained here:

If you want to block just //?=XXXX where XXXX is digits of unknown length you would need to use a regular expression which gets more complex:

(http.request.uri matches "//\?=[0-9]+")
1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.