Earlier today I was hit by a large-scale DDoS that took my site down after 22 minutes by exhausting all my AWS burst credits. Even when the site went down Cloudflare still didn’t block any of the DDoS connections. Thanks to judicious logging I was able to identify all the sources of the attack, but obviously it is difficult since each IP is sending just one or two requests and they are all coming from a wide variety of IPs. However, almost all the IPs are registered to one of two companies:
- FINE GROUP SERVERS SOLUTIONS LLC.
- TrafficTransitSolution LLC.
As far as I can tell, both of these are fake companies who have somehow managed to register literally hundreds of /23 and /24 address ranges. I manually input more than 60 ranges into my firewall but I don’t think it’s even half of them. There were a few other companies besides these two, but a (probably fake) person’s name that was common among all of them was Aleksei Filippenko listed as the registrant.
My question is, why when it’s so clear that these two fake companies are used for nothing but abuse, (even Scamalytics agrees) does Cloudflare do nothing to mitigate access to their sites, including mine, which was on medium security level. I had to subsequently bump it up to “I’m under attack”, of course, but this also negatively impacts real visitors, which should be avoided.
My frustration is in spending literally hours collecting, collating and querying all these IP address ranges to add their CIDRs to my firewall. I could not find a (free) database of all the address ranges registered by these two fraudulent companies, but I imagine a company such as Cloudflare would have access to such a list and would therefore be trivial to block them. Why haven’t they?