Malicious traffic on Sign in Page

Hello,

On my website, on one of the pages [Sign in Page], the traffic has increased significantly last few days. These are direct traffic without any referer or marketing and coming from various countries, especially the US and Canada. I opened my google analytics account and checked that my bounce rate has increased as well. All the traffic coming on that page seems to be malicious with the purpose of spoiling our SEO.
It seems to be bot attacks.
I have turned on Bot Fight Mode and all the firewall rules.
I have received about 10K traffic with a 99% bounce rate and 1sec session rate on that page in the last 7 days.

Is there a way you guys can help me out? It would be a great help.

It seems like you’re under a DDOS attack! For more help on what to do, visit https://support.cloudflare.com/hc/en-us/articles/200170196-Responding-to-DDoS-attacks

Consider sending a JS challenge for traffic coming from these countries with an empty referer. This can be done by creating a new firewall rule.

3 Likes

Thank You, I have done all the recommended steps but the problem still persists.

It bypasses the JS challenge in the Firewall. I had filtered it based on the country. What it cannot bypass is Captcha or Block mode. But I cannot use Captcha or Block as it will create a problem for the good bots.
Let me know if this firewall rule is correct. Though it’s not effective.
(http.request.full_uri eq “https://www.mydomain.com/signin” and ip.geoip.country eq “US”)

I want to send Captcha only to users who land on the particular page and are from the US.

What plan are you on? With Pro Plan you can use Zone Lockdown so only IP Addresses you select can access the Sign In page

If on the Free Plan I’d ask:
Why do bots need to access your login page?
If it is just for admin use then there should be no SEO problem blocking it entirely from people and bots (and then when you need to login simply turn the block off temporarily)

Hey, thank you so much for your reply. I am on Pro plan. But it’s not just about the Login Page, can there be a permanent solution for the same. What if my Home Page is attacked tomorrow by the bad bots. How do I then filter them? The bots are coming from different countries and 5-10 are always active on the website in Real Time.

In that case I would follow the instructions here

Particularly the below:

Monitor the Firewall Events Log to see if there is any pattern that you can see from the attackers when they hit the captcha challenge. You can then narrow down who you present the captcha challenge to. For instance, if the attacks all come from one country, you could just challenge visitors from that country. If they all use the same user agent, you can challenge all requests from that user agent and you should be able to make your rules more specific to minimise the effect on genuine site visitors while still slowing / stopping the attack.
For example, you could use a rule like:

with the country and user agent that the attacks are coming from and captcha challenge or even block these requests.

I don’t understand what exactly this is. These bots can even bypass Under Attack Mode. Can someone help me figure out what exactly are these?

Just to confirm, this isn’t the issue?

Under Attack mode is a low hurdle. You might want to turn that off and go with a Firewall Rule instead that throws up a CAPTCHA. At least with that, you can begin to exclude what looks like legitimate traffic based on your firewall logs. Or those same logs might show a pattern as described in the DDoS instructions above.

This CAPTCHAs anything that’s not a good bot:

Thanks for your reply. I tried the rule you suggested but the traffic is also able to bypass captcha. Can bots bypass it? Or this is some other type of attack. At any given hour, I have 18-20 real-time users landing directly on the Sign-in page and bouncing off within a sec just spoiling our entire google analytics.

At this point, I suspect they’re bypassing Cloudflare and hitting your server directly, so the Firewall here isn’t going to do you any good.

1 Like

How can I stop them from bypassing Cloudflare?

You need to whitelist Cloudflare IPs in your host and block anything else.

https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.