The WAF firewall rules seem to be allowing strange requests from AS16509 when Known Bots is enabled.

These requests do not look like a legitimate/known bot, based on the requesting ASN, IP address, User Agent and doing a Reverse DNS on the IP address.

Examples:
AS16509, 54.241.45.34, Opera/9.80 (Windows NT 10.0; Win64; x64; U; en) Presto/2.9.168 Version/11.50
AS16509, 54.255.209.170, Opera/9.80 (Macintosh; Intel Mac OS X 11_2_2; U; en) Presto/2.2.15 Version/10.00
AS16509, 122.248.204.187, Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
AS16509, 54.240.199.107, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

I’m on the Free plan.

Can you post a screenshot of the firewall event where these requests are mentioned?

54.241.45.34

image770×722 41.2 KB

54.255.209.170

image771×722 40.5 KB

122.248.204.187

image770×724 42.5 KB

54.240.199.107

image773×758 43.7 KB

Redacted some parts of the hostname in the firewall event and firewall expression rule which are not relevant in this context.

Issue just recurred

122.248.204.187

image824×779 40.3 KB

For sure this request was a bot, especially with that kind of UA, and allowed by Known Bots…

54.153.80.133

image821×779 39.7 KB

I think I might have to exclude all AS16509 through Known Bots and manually filtering them for the time being…

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.