I created a firewall rule and tried to block all requests that use the above UA and the ASN does not belong to Facebook. But, I see no requests are getting blocked there and Wordfence is still detecting such spoofed requests.
I think Cloudflare is able to detect the actual IP of the attackers. But, as the requests are not getting challenged/blocked by any firewall rule, I am unable to see the actual IP address.
My question is, what firewall rule should I use to prevent such requests? I also cross-checked the DNS records and I see the DNS records are not leaking the IP address of the server. Please help.
Thanks @erictung for the response. I am already using the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP in Wordfence. But, in this case, it is not helping. And, attackers are spoofing the IP address of the actual web server.
@michael knows more about spoofing than I do, but my impressions is that Cloudlfare won’t allow in spoofed IP addresses because they have a pretty good idea where they’re really coming from.
Of your own server?
That firewall rule should have done it, unless it’s not correctly written. Can you post a screenshot of it?
You can test the firewall rule with a browser’s Dev Tools (F12 in Chrome) to send a specific user agent string.
Yes, attackers are spoofing the IP address of our own server. I am using the following firewall rule:
(http.user_agent contains “facebookexternalhit/1.1” and ip.geoip.asnum ne 32934)
Then Block
I tried out filtering all requests that get blocked by this rule, but that did not help.
The same attackers were trying to access the server with a different UA (after spoofing the server’s IP). Wordfence could not detect the actual IP. I blocked that UA in Cloudflare and could see the actual IP address by filtering all requests that get blocked by that rule. I blocked that particular IP. But, now I think the requests are coming from a different IP and using the mentioned Facebook UA.
I tried to send HTTP requests by using the mentioned UA. I see the request does not get blocked by the Cloudflare rule. But, I could analyze why I get such mentioned requests.