Ipv6 hackers - ddos 'ing site through cloudflare - help!

webadmin · June 20, 2023, 1:55am

Cloudflare generously hands rotating ipv6 ddos attacking hackers a nice cloudflare ipv4 address. While rotating, cloudflare doesn’t seem to stop the hackers. And my sites gets ddos’d.

Cloudflare this is critical, and very bad. Please address this.

I came up with a working ipv6 modsec blocker. I’ve had it installed for 5 minutes and I think I already have 100 blocks. Albeit it’s catching the good and bad guys…

SecRule REQUEST_HEADERS:CF-Connecting-IP "@rx ^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$" \
    "id:1006,phase:1,deny,status:403,msg:'Blocked IPv6 address'"

If you want to see this in action, try putting an ipv6 value in a file, and run this on a file

egrep '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))' /root/temp/ddoss_6.19.23

Does anyone have any better advice on how to stop these rotating ipv6 ddos attacks?

webadmin · June 26, 2023, 6:56pm

Anyone got any advice? Rotating ipv6 ddos attacks are a gnarly thing to try and mitigate.

Chaika · June 26, 2023, 7:22pm

Cloudflare doesn’t give out IPs or anything, it sounds like you’re confusing how Cloudflare works. Cloudflare will connect to your origin using an egress IP, one of the ones from IP Ranges. If you only have A/IPv4 records configured, it’ll always be a Cloudflare IPv4. The Cf-Connecting-IP is how you get the real user IP, and the Cloudflare Connecting IP shouldn’t be used for rate limiting or anything else.

100 blocks in 5 minutes is 0.3 requests per second, that doesn’t sound like an attack or anything like that.

webadmin · June 26, 2023, 7:42pm

Sorry, bad example.

I had around 6000 requests in a 10 minute period during my server alerting me of 95% cpu usage during this 10 minutes.

I am not sure if you might be confused, or I am not explaining myself well, but I am already monitoring Cf-Connecting-IP, which is why I know these are rotating ipv6 attacks. Each entry where Cf-Connecting-IP shows an ipv6 entry, the ipv4 value of that entry shows a cloudflare proxy address.

webadmin · June 26, 2023, 7:44pm

But I see a cloudflare IP on every request on my server, therefore they ‘do’ give out an IP right?

Chaika · June 26, 2023, 7:52pm

It’s how reverse proxies/pull CDN’s like Cloudflare work, there are two separate HTTP connections
Client → Cloudflare Edge, and then another Cloudflare Edge → Origin (your real web server)
If you had proxy/cloudflare disabled, you would just see the IPv6’s connecting directly (assuming your server had IPv6/AAAA records), Cloudflare isn’t doing anything special to enable IPv6 attackers.

Usually people rate limit/block by IPv6 /64, and By IPv4 /32, this is how Cloudflare’s Rate limiting products work as well, for example. This is done because assignment with IPv6’s is different then IPv4s. IPv4’s are usually unique per user, and these days, thanks to CGNAT, might even be shared between multiple houses/users. IPv6’s, on the other hand, are usually assigned somewhere between a /56, a /64, or for the lucky, a /48. Even the smallest there, a /64, is some eighteen quintillion IPv6s, and with configurations like privacy extensions in modern operating systems, Devices will just naturally “rotate” or change IPv6s.

If you need help mitigating the attack:

6k requests per 10 seconds does sound more attack like, that’s about 10 requests/second, unfortunately that’s still a bit low from my experience before Cloudflare’s automatic protections kick in. You’ll need to mitigate manually/adjust your own firewall rules/rate limiting rules, etc.

Blocking all IPv6 users isn’t very sustainable or recommended, although I can understand from your view it may be a bit confusing.

cloonan · June 26, 2023, 8:06pm

Are you restoring visitor IPs @webadmin? If not, all you will see are cf ips and you won’t be able to tell what to block and what to not.

webadmin · June 27, 2023, 12:13am

Restoring visitor IP’s? From what to what?

epic.network · June 27, 2023, 12:16am

system · June 30, 2023, 12:16am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.