I found the Attacker to most of us and need help how to block

I think I found how most our websites getting attacked even from very normal users not from hackers.

I found this application which is very cheap and simulates users from all the world, it is called:

Simple Traffic Bot https://simpletrafficbot.com/

I just contacted the site owner :slight_smile:
Hello,
Does this application really simulates different locations? That’s it will call
the website from different cities all over the world or from cities that I can decide.
I mean in google analytics I will see the users coming from different cities
from different countries?

and he replied immediately with:

Hi
my software use Tor proxies from all the world : https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

Now we have detected the source of the problem and how it is done.
The question, can we block all these ip’s used by torproject at the link he provided. are these proxies used by some percentage of normal visitors.
What a firewall rule can be used to block these ip’s

Please note I am not advertising for this type of app, I have a business and my comptitors using these tools to attack my website and this is the only reason I joined and used Cloudflare but until now Cloudflare is unable to block these attacks.

Cloudflare identifies Tor as if it were a country, with code T1.

So you can try blocking or challenging users that Cloudflare identify as coming from Tor with a Firewall Rule:

(ip.geoip.country eq “T1”)
then
Block/Challenge

2 Likes

The T1 country rule is not working. I see that you need to get the list of proxies to specific website IP and port and this list is updated dynamically like this:

https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1&port=443

The page for that is here:

https://check.torproject.org/cgi-bin/TorBulkExitList.py

I do not know if Cloudflare know how to get all these proxies IP’s to my specific website IP and ssl Port or has a general rule.

I’m wondering if tightening up the firewall with a Threat Score would help.

I’d also think that the software would have something consistent in the request header that would be a sign.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.