It's possible to bypass Cloudflare?

Recently, I was hit hard with a DDoS and all the requests seemed to bypass Cloudflare somehow.
Looking at the logs, it was all HTTP traffic. That should not be possible because I have HTTPS redirection enabled in CF settings. Also, all the traffic was from CF IP addresses.
Looks like it’s somehow possible to bypass the HTTPS recirect and get HTTP traffic into origin.
Also, I do have rules to block non-CF traffic so it was indeed some sort of bypass. Or maybe a spoof?

Anyone else experienced this and know how to mitigate this issue in the future?

In that case it shouldnt have been direct requests.

Whats the domain?

The domain is ‘lalluram.com’.
It was on Friday sometime in the afternoon IST.

I can share access logs from my server if needed.

It seems your address is at least not publicly available. Would you feel comfortable sharing your server IP address (also in private if you prefer)?

Though I don’t have a problem sharing my IP, I would like to do so away from prying eyes given there’s been a constant supply of DDoS on my domain for some time.
I don’t know how to initiate a private message on this platform.

Can you run a test against your IP address at sitemeer.com and post the time here when you ran it? In that case I can dig it out.

Okay, I ran the test about a minute ago against IP 3.x.x.x
It detected it as down as usual.

Got it. Yes, that machine does not seem to be publicly reachable. And the current network/firewall configuration hasnt changed since then?

Everything except the Firewall (on CF) is unchanged.
I was using the Firewall to block the DDoS at the time and disabled it afterwards.

Can you also post the server logs? Make sure it does not reveal the server IP.

If the configuration is at it seems you shouldnt have received direct requests.

I forgot.
I was testing with Cloudflare Access a bit and left an Access Policy with Bypass for Everyone at the time. Could that have caused this issue?

Hmm, just realised your issue was not direct requests, but HTTP instead of HTTPS ones, right?

Right now the whole site is supended and there is no redirect to HTTPS.

That’s not the case though. CF properly redirects to HTTPS. You can see the curl output:

GET /wp-admin/ HTTP/1.1
Host: lalluram.com
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Date: Mon, 13 Jan 2020 10:45:23 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Mon, 13 Jan 2020 11:45:23 GMT
< Location: https://lalluram.com/wp-admin/
< Alt-Svc: h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
< Server: cloudflare
< CF-RAY: 5546c7c4cacdbbb8-LHR

Here is a (very limited) part of the server log.

172.68.33.9 - - [11/Jan/2020:11:15:37 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “205.185.115.100” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36”
108.162.240.117 - - [11/Jan/2020:11:15:37 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “159.203.16.170” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134”
108.162.218.135 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “167.172.247.68” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36”
198.41.235.142 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “68.183.123.186” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110”
108.162.218.45 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “68.183.123.15” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110”
108.162.218.120 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “68.183.125.104” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15”
108.162.218.63 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “68.183.105.214” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0”
141.101.106.184 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “104.248.169.145” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36”
108.162.228.42 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “51.158.113.142” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36”
141.101.66.137 - - [11/Jan/2020:11:15:38 +0000] “GET /wp-admin/sshtml.php HTTP/1.1” 403 2157 “51.158.111.229” “http://lalluram.com/wp-admin/sshtml.php” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0”

Log format (apache2) is:

%h %l %u %t “%r” %>s %O “%{CF-Connecting-IP}i” “%{Referer}i” “%{User-Agent}i”

Now that I look at it more closely. It’s the Referer header and not the actual request.
I was confused by the fact that the requests were not showing up on the analytics but that’s probably because of the incident that day.

Am I right to assume you are not rewriting IP address but only log the actual client address, Cloudflare’s?

The first IP is CF. The second is the ‘CF-Connecting-IP’.
But as I said, I was probably very confused that day by things not updating in the dashboard due to the CF incident.

This topic was automatically closed after 14 days. New replies are no longer allowed.