IPv6 Ranges in WAF Rules

I keep getting attempted log ins to my WordPress site from IPv6 addresses beginning with 2600: , 2604: , 2607: , and 2600:.

I currently have the Cloudflare Free plan.

I understand the rules to not allow wildcards, so I would like to set up one or more ranges.

Specifically, can I create a range that will block all addresses beginning with 26 or even just 2?

Thanks,

John

Technically yes.

Though I doubt you really want to block 1.3 undecillion addresses and not only because they belong to a vast number of different networks.

You best check what these requests are and then block them selectively. You could also consider one of the other Cloudflare authentication tools instead or simply whitelist your address.

Thanks very much for your reply.

There are too many variations to block them selectively, unfortunately.

I have looked at access logs and I see the only failed log on attempts come from the IPv6 addresses starting with 26XX, as I mentioned. So I tried the example you presented and will monitor the activity.

Thanks again,

John

At least restrict it to your logon path.

Can you post a few sample requests?

1 Like

Not sure how to do either.

I don’t have any problems blocking someone to the whole site, not just the logon screen.

BTW - Blocking by country removed a great majority of bot logon attempts.

All right, if you are fine with it, then just use the shown expression to block that network. A country block will certainly work as well.

Thanks again for all your responses. I don’t mind taking a chance of blocking too much, but if I get word that some legitimate users cannot get through, I will look into refining the blocking.

Just one last question, exposing my ignorance. Will the example you provided 2600::/8 also include 2604, 2605, etc.? Or would I need separate rules for each?

Forgot to include in the question - If separate expressions are needed, I assume I could put them in a list and just use one rule.

/8 will block 2600 to 26ff.

Great - thanks again.

If you block all addresses that start with 2 you are blocking the entire IPv6 unicast address space. Similarly with any address starting with 26 you are proposing to arbitrarily block massive amounts of unrelated networks. A typical allocation is between a /29 and a /32. The largest allocation size possible is a /12 (I think). A /8 is a massive number of unrelated networks.

Blocking a /8 in IPv6 is like saying “block any IPv4 address that starts with an even number”. It might block the attempted logins, but the blast radius will also block a massive amount of unrelated and likely legitimate traffic. If you want to block an address range you should try and identify what the network allocation is, and only block that specific prefix.

The OP is aware of that but appears to be fine with it respectively opted for a country block anyhow.

Very true. Thanks to both you and michael. I will continue to learn about alternate methods, but in the meantime, the /8 seems to work fine, and even though it may be over-broad.

If it works, then it works :slight_smile: still, blocking an IPv4 /8 is usually too broad, with IPv6 you are blocking half the galaxy’s Internet, but again if it works

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.