My website is DDos attack - Under Attack Mode not working

Oh if you’re the same person on Xenforo forums that I directed to ask on this forum, then Xenforo’s image and link proxy Options - XenForo 2 Manual can reveal your server real IP by default unless you configure a separate server forward HTTP proxy and set it in Xenforo config file $config['http']['proxy'] Config.php options - XenForo 2 Manual

HTTP client settings

These settings control the behavior of the internal XenForo HTTP client, which is used to fetch resources from across the internet, such as images and web pages when using the Image and link proxy.

  • $config['http']['sslVerify'] = null ;
  • $config['http']['proxy'] = null ;

The sslVerify setting will force the system the verify the SSL certificate of any sites it visits using the SSL/HTTPS when requesting resources. Setting this value to true can be of benefit in some circumstances, but there are a number of ways that SSL certificate verification can fail, resulting in an inability to fetch the resource requested. If in doubt, leave this setting alone.

If you want the internal XenForo HTTP client to perform its requests through a proxy, enter the proxy server’s address in the proxy setting.

That’s what I do for my Xenforo forums. You can see discussion at XF 1.5 - Untrusted Http Client | Page 3 | XenForo community

1 Like

When emails are sent to the email content or bounced email no IP is on the content.

It’s in email source headers not content

example gmail, in email go to more > show original email to view source of email

I just checked and you are right about the ip being displayed. Please give me a step by step process to remove the IP since you have experience of this.

  • $config['http']['sslVerify'] = null ;
  • $config['http']['proxy'] = null ;

What’s the process for achieving this? Am lost here. Thanks

Best to read XF 1.5 - Untrusted Http Client | Page 3 | XenForo community. You’d need to get a separate second server i.e. VPS - I usually go with VPS provider with DDOS protection support and install on that second VPS a forward HTTP proxy like tinyproxy or 3proxy and configure them. Then update Xenforo config to point to that configured 2nd server’s IP in proxy setting as outlined in Xenforo thread link.

That should be sufficient and what I’d recommend.

If you want to go that one step further/more complicated on 2nd VPS with DDOS protection setup GRE tunnels https://www.cloudflare.com/en-au/learning/network-layer/what-is-gre-tunneling/ so you proxy all traffic from live forum VPS through the 2nd VPS DDOS protected VPS. That’s what Cloudflare Magic Transit does !

How does Cloudflare use GRE tunneling?

In order for Magic Transit to protect and accelerate customers’ network traffic, the Cloudflare network has to be securely connected to customers’ internal networks. For this purpose, GRE tunneling is extremely useful. Via GRE tunneling, Magic Transit is able to connect directly to Cloudflare customers’ networks securely over the public Internet.

Magic Transit is built on the Cloudflare Anycast network. This means that any Cloudflare server can serve as the endpoint for a GRE tunnel using a single IP address, eliminating single points of failure for GRE tunnel connections (Cloudflare also uses this approach to connect Magic WAN customers). To learn more about how Magic Transit works, see our Magic Transit product page.

1 Like

I use a firewall here and i filtered ASN: AS14618 AMAZON-AES and there are about 53,680 items
using that ASN. Is it ok to block it?

Depends.

I saw multiple crawlers/bots comming from it, I questioned myself the same, should I block it or not that way (or at least in some sort of combination using Firewall Rules to allow Pinterest and Disqus within that ASN for example, while block the others as listed below for the example?):

Mozilla/5.0 (compatible; proximic; +https://www.comscore.com/Web-Crawler)
ias-Xa/3.1 (+https://www.admantx.com/service-fetcher.html)
Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)
Mozilla/5.0 (compatible; TTD-Content; +https://www.thetradedesk.com/general/ttd-content)
Disqus/1.0
axios/0.21.1
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
Python/3.6 aiohttp/3.5.4
trendkite-akashic-crawler
Apache-HttpClient/4.5.13 (Java/1.8.0_312)

I also block this user agent because t were more than 10,000 on the list within 24 hours.

(http.user_agent eq “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)”)

If they are coming from the same or simlar locations than yeah, you’re probably under a DDOS attack!

They are probably using a VPN

Well there really is no way, they could get around firewall rules by simply using a VPN

Question

With all of that being said, what’s the domain?

https://developer.amazon.com/support/amazonbot

2 Likes

challenge asn, who cares they using a VPN network users should expect this time to time. Challenge user agent, set up rate limiting as it doesn’t get charged for ddos with cloud flare.

If you got back end access and use Nginx for example, can set your own rate limiting and ban breached on both the server plus cloud flare with something like fail2ban actions and filters automatically, this is super effective and cheap for the type of ddos you got, you can also set up boobie traps and more this way.

Many options plus more to deal with this script kiddie.

3 Likes

Hi, can you provide your domain?, thanks.

I have a lot of ASN that are the same, is best to block ASN or block User agent. The last time i block User agent Brazil as a target Country it seems google boot was affected.

I don’t have WAF and am using the free plan.

Since my ip is leaked i guess preventing the ddos attack will be difficult with cloudflare.

These are the forum part targeted by the DDos attack:

/service_worker.js
/favicon.ico
/
/members/luckypig.37478/

My IP has already been leaked in my Xenforo forum and my site is being DDos attack for more than 12 hours and the attack has been going on for more than 3weeks. I suspect the purpose of the DDos attack is to derank site from google first page. I just suspect someone is being paid for the attack. The attack could last more than 4-6 hours.

I have applied some firewall rules to block any path being attacked, most such as:

/service_worker.js
/favicon.ico
/favicon.ico
/
/css.php

The attack is spreading more to a different path and its spreading yo all most all countries and US and India are the highest.

Is there any other solution to stop the DDos? am using a free plan.

You will have to block any traffic not originating from Cloudflare IPs. Otherwise attackers can just bypass Cloudflare.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.