Site Under Attack - Need Suggestions to Setup WAF Filters

Answer these questions to help the Community help you with Security questions.

What is the domain name?

  • microweb.app

Have you searched for an answer?

  • Yes

Please share your search results url:

  • https://www.cloudflare.com/learning/access-management/what-is-url-filtering/

When you tested your domain, what were the results?

  • Not sure what is expected here.

Describe the issue you are having:

  • My domain is under brute-force attack, arguably from a global network. My server is hosted on AWS EC2 instance and I noticed that my December bill was 4x the usual bill. Upon inspection, I noticed that there are thousands of requests per minute to URL: wp-signup.php

After not getting any good support from AWS, I decided to put the server behind Cloudflare and configure the security rules. I’ve configured the WAF with the following rules:

  • URI Path | contains | wp-singup.php
  • URI Path | contains | .git
  • Hostname | contains | .microweb.app

However, a lot of traffic is still escaping. Looks like the bot network is now trying some other paths. Here’s a sample entry that’s escaped the rule:

HOST: ns1.mobile.new.70a5a65e15b1703346423698.osu.prod.canacydrake.nobile.static.git.static.appphns2.mongimaster.mulogimaster.micaster.microweb.app

Path: /

Query string: Empty query string

The common pattern is that each ‘HOST’ ends with microweb.app in it. I am not sure how to filter out this traffic.

What error message or number are you receiving?

  • Currently, blocking the host with microweb.app blocks my entire site. There’s no error message, but I am shown Cloudflare page or a blank page.

What steps have you taken to resolve the issue?

  • I have described the WAF rules I’ve setup.

Was the site working with SSL prior to adding it to Cloudflare?

  • Yes.

What are the steps to reproduce the error:

  • There is no error. The site is under bot attack.

Have you tried from another browser and/or incognito mode?

  • Yes. This is browser independent issue.

Please attach a screenshot of the error:
Not error - but sample entry from the escaped traffic; that I need to control.

How would that even get through Cloudflare? If you’ve configured your zone for “Always Use HTTPS”, those requests will get redirected to HTTPS, then fail due to a lack of valid certificate.

This makes me think they’re bypassing Cloudflare, and attacking your server directly. Have you set up a firewall at the origin to only allow requests from IP addresses listed at IP Ranges ? Best to shut down Port 80, also.

Other than that, here’s the most detailed tutorial on mitigating attacks once you’re sure the requests are coming through Cloudflare:

2 Likes

@sdayman - Thank you for replying. As of now, the HTTPS for my domain microweb.app is handled by Caddy server; which I use for a multisite WP setup on the domain.

I am wondering why is -

HOST: ns1.mobile.new.70a5a65e15b1703346423698.osu.prod.canacydrake.nobile.static.git.static.appphns2.mongimaster.mulogimaster.micaster.microweb.app

being redirected to my domain. Upon closer inspection, I noticed that a ton of these requests have HOST that follows pattern: .microweb.app. Please let me know if there’s any way to block it without having to spend $20/mo. The total income from the websites hosted on that server is not even a fraction of it.

I think I’ll have to configure my Caddy server to shut-down PORT 80. In the meantime, I’ve blocked the entire traffic to the domain; to bring down my AWS costs.

Is there anything else I could consider implementing on Cloudflare side and on ther server side?

PS: I’ve read the article. I hope these attacks will die-down after some time.

There does not seem to be a possibility of editing my post. I did more inspection of the latest blocked traffic and found that the attackers are now trying out different ports as well:

Host
cpcontacts.sitemap.git.app.new.gitlab.store.phpmyadmin.cadmin.sip.kirbyemo.cat.ce-dfw.co.kancelarster.microweb.app:2086

Host
cpcontacts.cloud.support.new.demo.ns1.fr.demo.cat.ce-dfw.co.kancelarster.microweb.app:8080

en.app.fr.auth.cdn.gitlab.phpmyadmin.old.vpn.support.hostmagimaster.mulogimaster.microweb.app

Would really appreciate it if someone can guide me on how to get rid of this attack and get my servers back.

You could always start by not resolving requests for bogus hostnames.

¯\(ツ)

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.