I'm Under Attack Now - Need Help Immediately

dash-dns
firewall
#1

Hi,

My web site is under attack now. (Layer7) Origin ip of my server is hidden. Although orange cloud is activated, they are bypassing Cloudflare and attacking directly to the server.

Also, Only Cloudflare IPs can access to https. (Via UFW) My web site is down now. I also enabled Vultr Ddos protection.

How they still attack?

Here is the some logs:

     57.0.2987.108 UCBrowser/12.11.2.1184 Mobile Safari/537.36"
    124.120.122.30 - - [19/Apr/2019:14:44:28 +0300] "GET /=?fqkkc HTTP/1.1" 404 134 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    2409:4052:2089:eee1::2567:58a1 - - [19/Apr/2019:14:44:28 +0300] "GET /?hbjkw HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; U; Android 8.1.0; en-US; SM-J701F Build/M1AJQ) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.8.0.1120 Mobile Safari/537.36"
    125.27.109.35 - - [19/Apr/2019:14:44:28 +0300] "GET /?s=qgxnx HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/71.1.241847734 Mobile/15E148 Safari/605.1"
    124.120.122.30 - - [19/Apr/2019:14:44:28 +0300] "GET /?s=bguqo HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    14.207.32.171 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=ferqq HTTP/1.1" 200 950 "-" "Mozilla/5.0 (Linux; Android 8.1.0; SM-J730GM) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    171.99.59.35 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=ljicl HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    2001:44c8:4381:c25b:1:2:b77c:248a - - [19/Apr/2019:14:44:27 +0300] "GET /=?plcrj HTTP/1.1" 404 191 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-J700F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36"
    2001:44c8:42c4:ec1:8b9:1d3f:4470:6f41 - - [19/Apr/2019:14:44:27 +0300] "GET /=?rcizw HTTP/1.1" 404 134 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/71.1.241847734 Mobile/15E148 Safari/605.1"
    27.55.83.160 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=elkiy HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; Android 8.1.0; CPH1823) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36"
    171.97.76.54 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=dsjoc HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; Android 7.1.1; CPH1723) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    171.97.76.54 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=nbszp HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; Android 7.1.1; CPH1723) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    171.99.59.35 - - [19/Apr/2019:14:44:27 +0300] "GET /=?xnkmd HTTP/1.1" 404 134 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    1.46.226.202 - - [19/Apr/2019:14:44:27 +0300] "GET /=?psxul HTTP/1.1" 404 191 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-J600G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    49.229.217.224 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=ovmdh HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1"
    115.84.117.62 - - [19/Apr/2019:14:44:27 +0300] "GET /=?myoac HTTP/1.1" 404 191 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Mobile Safari/537.36"
    125.27.109.35 - - [19/Apr/2019:14:44:28 +0300] "GET /?s=ysrcb HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/71.1.241847734 Mobile/15E148 Safari/605.1" 
#2

Could you please recommend any nginx rule for stopping that?

Thank you!

#3

That is because they have your IP address. You either need to change that address or block all requests except those from Cloudflare in your system firewall.

2 Likes
#4

Hi @sandro

  • Authenticated Origin Pulls is enabled.
  • I blocked all requests except those from Cloudflare in my system firewall (UFW) and Vultr’s own firewall both.
  • The orange cloud is activated on Cloudflare for all of my DNS records.
  • My origin ip is completely hidden. Some one can’t found the origin ip in the DNS history at all.
  • Also Vultr Ddos protection for my origin ip (10$/mo) is fully activated.

I can’t understan how can they attack after those.

#5

How did you establish that they are connecting directly?

1 Like
#6

@sandro


(Last 24 hours)
May be they couldn’t bypass Cloudflare. I’m not sure.

EDIT: Now our web site is working well. Some requests are blocked and some of other requests still can access to the server. This situation is better.

#7

This attack seems to rely on random query strings to avoid hitting cached files, forcing CF to request from the origin.

You could try a Firewall Rule such as:

(http.request.uri.query contains "s=" and not cf.client.bot) or (http.request.uri.query contains "=?")

The first condition will catch any query string starting with /?s=. This will impact real visitors performing search on your blog/site, so you may want to start with a Challenge action, then if it doesn’t stop the hackers (in most cases it will), change it to Block. It will allow known bots, as defined by Cloudflare.

The second condition reflects malformed query strings, as seen in the log sample you provided.

Then monitor the logs to see if the attack has other patterns you may identify and add to the firewall rule.

3 Likes
#8

@floripare Thank you very much :slight_smile: I really appreciate it.

They were attacking to our web site last 24 hours. Still, they are continuing… And couldn’t bypass Cloudflare. Now the attack is blocked thanks to Cloudflare.

1 Like
closed #9

This topic was automatically closed after 30 days. New replies are no longer allowed.