I created a firewall rule and tried to block all requests that use the above UA and the ASN does not belong to Facebook. But, I see no requests are getting blocked there and Wordfence is still detecting such spoofed requests.
I think Cloudflare is able to detect the actual IP of the attackers. But, as the requests are not getting challenged/blocked by any firewall rule, I am unable to see the actual IP address.
My question is, what firewall rule should I use to prevent such requests? I also cross-checked the DNS records and I see the DNS records are not leaking the IP address of the server. Please help.
Thanks @erictung for the response. I am already using the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP in Wordfence. But, in this case, it is not helping. And, attackers are spoofing the IP address of the actual web server.
Yes, attackers are spoofing the IP address of our own server. I am using the following firewall rule:
(http.user_agent contains “facebookexternalhit/1.1” and ip.geoip.asnum ne 32934)
I tried out filtering all requests that get blocked by this rule, but that did not help.
The same attackers were trying to access the server with a different UA (after spoofing the server’s IP). Wordfence could not detect the actual IP. I blocked that UA in Cloudflare and could see the actual IP address by filtering all requests that get blocked by that rule. I blocked that particular IP. But, now I think the requests are coming from a different IP and using the mentioned Facebook UA.