Query string

Hello everyone I want to stop all traffic without Query string How do I do this Thank you

Could you create a firewall block rule with this condition?

(http.request.uri.query ne "")

1 Like

I do not understand what you mean

If you are using Cloudflare and your domain is proxied (“orange cloud”) then you can click on the Firewall tab and click Firewall Rules to create a rule like the one I mentioned.

image

Why would you want to do this? I’m a bit confused.

Yes I did but it doesn’t work

Because all the attacking traffic comes without a Query string and I want to stop any traffic without a Query string

(http.request.uri.query ne "") is an entire expression. It is not a value of the field.

Either:

  1. Set “URI Query String” not equals to empty string (leave the value blank), or
  2. Click “Edit expression” and paste (http.request.uri.query ne "")

That makes sense however what about organic traffic without any query string?

Actually, I don’t know

Then all organic traffic will be lost. So is it a good decision?

You create the rule with an empty “Value”

Or you click “Edit expression” and enter the expression

Either way you have to consider ALL your traffic. As mentioned, real people will try to visit your website by just entering the domain name and this rule will block that kind of traffic too.

What’s “attacking traffic”? Is it volume? Do they all use the same user agent from the same IP or ASN?

You should be able to identify something that makes it easier to block this kind of traffic. Have you tried Super Bot Fight Mode (if it’s a paid account)? Have you tried blocking traffic from cloud platforms where they aren’t known bots?

For example, the rule below blocks non-known bots traffic coming from Azure, AWS, GCP, Vultr, DigitalOcean - it’s very effective and should be better than blocking all requests without a query string:

You could block HETZNER AS24940 and OVH AS16276 in Firewall | Tools because those AS don’t host any known bots and it’s a source of bad traffic (the Indian AS in the screenshot below is just a local VPN exit point we block, shouldn’t be relevant to your case):

For example, this is the Block actions in last 72 hours for my domain - you can see the OVH AS16276 spikes there:

Thank you for the clarification and explanation
Yes, I do this, but the problem is that I have banned more than 500 IPs and the attack continues. The problem is, I don’t want to block ASNs I tried to block all ASNs but this is less traffic
I also banned a lot of User Agents but the attacker comes up with something different too and I don’t know what to do with him
I also banned a lot of Paths but it also comes with something else
I don’t know what to do with this cowardly bastard

I don’t block User Agents as these can easily be spoofed and you end up blocking actual people.

The ASNs I listed are safe to block - they are cloud providers, not consumers. People run cheap virtual machines on these providers for attacks. Generally block cloud ASN is safe but you should use rules for this.

For example I block OVH because I know no known bots use their services.

I block Azure, GCP, AWS, Vultr using a firewall rule because I can put this rule down after an ALLOW for services I know might be using these - for example we use updown.io and they might use AWS or GCP so I have an ALLOW rule for updown.io and at the bottom of my firewall list I have that ASN block rule that is a catchall for everything else (except known bots).

IP addresses outside of those ASN I gave you should be safe but the general rule is if it’s a cloud provider, block it.

Of course, if sophisticated attackers are using compromised consumer routers and computers then you have a different problem - those are usually generating attacks on the millions of requests per second and your problem is not something the free or pro accounts will solve easily.

I don’t have the impression you are at those levels yet.

I have just posted a long post here The (firewall) rules we follow - Security - Cloudflare Community that might make it clear to you (and others) what and how to prevent aggressive scans and malicious bots.

Yes, really, as you said, the attackers use routers and computers, and this is a big problem
They also use phones in the attack, but the phones are weak and do not affect the website
I think I found the location of the attacking computers and they are in a place in Egypt and I blocked ASNs for this place
He is now attacking with mobile devices and he can’t drop my website with a mobile phone

You didn’t want to disclose your domain before and didn’t want to block a whole ASN. Looking at those IP addresses I’d say your audience is located in the Mediterranean, Middle-East and North Africa.

Can’t you just block some countries or you really depend on these?

Yes, you are right
Most of my site traffic is from the Middle East
Unfortunately, I banned Egypt and a large traffic was coming from it
But I am looking for a solution

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.