Seeking help mitigate probe from Kazakhstan

Website, Application, Performance Security
1

Hi All,

How can i migrate endless probe from Kazakhstan which generate unnecessary traffic, thus slowing down my sites ( https://rfq.efc.asia ) , increasing my VPS CPU spikes and generating DDOS effect (after installation and removal of a wordpress plugin). I have created the firewall rules which the log show every 5 to 10 minutes block and it keep probing non-stop. What can i do next since i am using FREE Cloudflare plan? Any recommendation.

https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html

2

Are you saying that you added a Firewall Rule to block Kazakhstan, but they’re still getting through to your server?

3

The reason is that it fill up almost all my firewall log and i am not too sure if they has bypass Cloudflare. My traffic will spike easy with an increase of my web traffic from my visitors including adhoc web attacks from bots / attackers. Please advise if there is any solution from it.

4

If your firewall events logs are filled with visits from Kazakhstan, it means Cloudflare is doing its job, following your Firewall Rule instruction to block them. Nothing to worry about. The internet is an open space, there’s nothing you can do if a bot (or a hundred bots) decides to probe your domain every 10 or 5 minutes, or even every other second. All you can do is block them, something apparently Cloudflare is being successful at.

What you could do is check your origin server access logs to see if any other attack patterns can be found. Perhaps repeated visits from another country, perhaps from a group of IP addresses or some user agents, then adjust your rules accordingly.

2 Likes
5

I do understand your points. Actually i have three layers of firewall. The first layer will be Cloudflare, followby my wordpress plugin firewall ,wordfence and lastly my VPS modsecurity rules. In my WHM panel using cPHulk Brute Force Protection i have even block by countries.

A handful of times, my Cloudflare firewall event log cannot even load it up or become empty. What i am looking at creating a blackhole Cloudflare rules for that specific IP address. but i do not know how. Please advise.

in term of firewall for IPtables for block and drop are difference . Is there a way to drop it in Cloudflare rules as well?

6

Firewall Events will occasionally become non-responsive on the UI. Use the API to fetch firewall events if you are comfortable doing it.

I’m not sure what you mean. If you want to just block a single IP or an IP range, you can use the Firewall Rules UI to easily do it.

image
image710×412 8.06 KB

I’m not familiar with IP tables, perhaps @sdayman can help you with that one.

7

The term Blackhole
https://en.wikipedia.org/wiki/Black_hole_%28networking%29

Currently i have already created rules to only specific countries are allow to access my website due to daily countless hack attempts.

Countires%20Rules
Countires%20Rules1240×490 51.7 KB

What i am looking is a simple drop / blackhole rules from Cloudflare which make it very easy for me rather than dig into my WHM to create iptables rules for that specific ip address to drop or blackhole it.

As for the firewall event using API in which i do not how to start with it.
Currently i am using APP from logflare to track my visitor then to google search console report for my visitors report only.

Logflare
Logflare276×557 17.9 KB

Screenshot_2019-07-20%20Search%20Console%20Report
Screenshot_2019-07-20%20Search%20Console%20Report1536×701 79 KB

8

This topic was automatically closed after 30 days. New replies are no longer allowed.