Retrieve IP from new analytics dashboard to block suspicious requests

I discovered a phishy robotic activity on one of the sites using the new Analytics dashboard. I noticed that there is some robotic activity trying to generate repetitive requests on one of the site pages. Probably, a negative SEO attack.

The requests are clearly robotic. The visit numbers are consistent and they all originate from one country. I thought of blocking this IP but I couldn’t find anything in the new dashboard that can help. I can only see the below details:

Referers: None (Direct)
Browsers: Unknown
Operating systems: Unkown
Device types: Desktop

Any idea of how to block this specific robot generating all those requests?

That’s a big wish of mine. To have something integrated like:
Referers: None (Direct) [BLOCK] [CHALLENGE] [ALLOW]
Browsers: Unknown [BLOCK] [CHALLENGE] [ALLOW]
Operating systems: Unkown [BLOCK] [CHALLENGE] [ALLOW]
Device types: Desktop [BLOCK] [CHALLENGE] [ALLOW]

So there would be buttons after key info that will let you easily block/challenge unwanted traffic, or allow something that keeps getting blocked.

But you said you want to block the IP address. You can do this from Firewall -> Tools, or in a Firewall Rule.

By the way, what’s that graph from?

1 Like

Well yes, but the analytics do not list the IP. I assumed all those requests are generating from the same IP address and I thought that I should block it but the IP does not show anywhere.

The graph is from the new analytics dashboard (beta) under the “Visits” tab.

@sdayman I found a cool trick to block the IP. I created a “Rate Limiting” rule to block all repetitive requests from the same IP on that page. Once the IP is rate limited, I get to see it in the Firewall logs and I can simply create a Firewall rule and block it :slight_smile: :v:

@sdayman I agree that would be great feature. Too many Unkowns obviously means there’s some bad actors out there. Would be nice to simply block them by this category seeing as that’s how they are listed in the new Analytics Beta dashboards.

@rami.zebian thanks for your work around. We are having the same traffic after a Pharma hack so I know its for sure Negative SEO that keeps hitting the site. I’ve setup a firewall rule to block some foreign countries but they are using TOR or VPNs so not completely affective at stopping it all.

1 Like

@smcdonnell I suggest that you create a rate-limiting rule. This will block the suspicious repetitive requests from any country. Out of curiosity, what was the page they were trying to hit?

They are trying to hit our main site folder that is under the root folder mostly http://ourdomain.com/en/
this is a redirect from ourdomain.com

1 Like

They also hit the company Wordpress Blog pretty hard. Those seem to have been stopped by tightening the Managed Cloudflare rules. So now they are hitting the main site looking for a way back in.

@smcdonnell Try increasing the “Security Level” option to “medium” and activate the “Bot Management” and monitor. In my case, it stopped but I am still not sure this was the reason. Let me know if that works for you.

@rami.zebian Do you mean teh OWASP Mod rules?

If so I already have them set to medium.

Also where do I find the “Bot Manaement” ??

@smcdonnell I am referring to the settings under Firewall > Settings > Security Level. There you can find Bot Fight Mode* too.

*It may block access to your APIs and prevent access from mobile applications.