Unable to prevent spoofing attack


Recently, I see a spoofing attack where the attackers are spoofing the IP address of the server. The attackers are using this particular User-Agent:

facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)

I created a firewall rule and tried to block all requests that use the above UA and the ASN does not belong to Facebook. But, I see no requests are getting blocked there and Wordfence is still detecting such spoofed requests.

I think Cloudflare is able to detect the actual IP of the attackers. But, as the requests are not getting challenged/blocked by any firewall rule, I am unable to see the actual IP address.

My question is, what firewall rule should I use to prevent such requests? I also cross-checked the DNS records and I see the DNS records are not leaking the IP address of the server. Please help.

Wordfence is seeing Cloudflare IPs once you have the proxy setup. It’s totally normal.

Try refer to this link on how to restore original IP address:

I also blocked all requests that try to reach the server by bypassing Cloudflare.

Thanks @erictung for the response. I am already using the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP in Wordfence. But, in this case, it is not helping. And, attackers are spoofing the IP address of the actual web server.

@michael knows more about spoofing than I do, but my impressions is that Cloudlfare won’t allow in spoofed IP addresses because they have a pretty good idea where they’re really coming from.

Of your own server?

That firewall rule should have done it, unless it’s not correctly written. Can you post a screenshot of it?

You can test the firewall rule with a browser’s Dev Tools (F12 in Chrome) to send a specific user agent string.

Thanks @sdayman for the response.

Yes, attackers are spoofing the IP address of our own server. I am using the following firewall rule:

(http.user_agent contains “facebookexternalhit/1.1” and ip.geoip.asnum ne 32934)

Then Block

I tried out filtering all requests that get blocked by this rule, but that did not help.

The same attackers were trying to access the server with a different UA (after spoofing the server’s IP). Wordfence could not detect the actual IP. I blocked that UA in Cloudflare and could see the actual IP address by filtering all requests that get blocked by that rule. I blocked that particular IP. But, now I think the requests are coming from a different IP and using the mentioned Facebook UA.

Thanks @sdayman

I tried to send HTTP requests by using the mentioned UA. I see the request does not get blocked by the Cloudflare rule. But, I could analyze why I get such mentioned requests.

This topic was automatically closed after 30 days. New replies are no longer allowed.