When you tested your domain, what were the results?
Not sure what is expected here.
Describe the issue you are having:
My domain is under brute-force attack, arguably from a global network. My server is hosted on AWS EC2 instance and I noticed that my December bill was 4x the usual bill. Upon inspection, I noticed that there are thousands of requests per minute to URL: wp-signup.php
After not getting any good support from AWS, I decided to put the server behind Cloudflare and configure the security rules. I’ve configured the WAF with the following rules:
URI Path | contains | wp-singup.php
URI Path | contains | .git
Hostname | contains | .microweb.app
However, a lot of traffic is still escaping. Looks like the bot network is now trying some other paths. Here’s a sample entry that’s escaped the rule:
How would that even get through Cloudflare? If you’ve configured your zone for “Always Use HTTPS”, those requests will get redirected to HTTPS, then fail due to a lack of valid certificate.
This makes me think they’re bypassing Cloudflare, and attacking your server directly. Have you set up a firewall at the origin to only allow requests from IP addresses listed at IP Ranges ? Best to shut down Port 80, also.
Other than that, here’s the most detailed tutorial on mitigating attacks once you’re sure the requests are coming through Cloudflare:
being redirected to my domain. Upon closer inspection, I noticed that a ton of these requests have HOST that follows pattern: .microweb.app. Please let me know if there’s any way to block it without having to spend $20/mo. The total income from the websites hosted on that server is not even a fraction of it.
I think I’ll have to configure my Caddy server to shut-down PORT 80. In the meantime, I’ve blocked the entire traffic to the domain; to bring down my AWS costs.
Is there anything else I could consider implementing on Cloudflare side and on ther server side?
PS: I’ve read the article. I hope these attacks will die-down after some time.