Hi,
Im under attack with too many random page requests, here are some of them:
how can I stop these requests?
What I’ve done so far:
- Blocking user agents
- Blocking OVH ASNs
You cannot stop them from happening, only the provider providing Internet connectivity to these requests will be able to “stop” them.
You can however apply WAF rules, like you indicate that you have, so that the requests will only reach Cloudflare, but not be able to “overload” your origin server(s), etc.
Based on the list of AS numbers you provided, e.g.:
I would also add all of the AS numbers:
- AS9009
- AS16276
- AS12876
- AS49981
- AS63023
- AS212238
to your block and/or challenge lists (depending on your personal preferences there), as they are all “hosting” related (e.g. providing Dedicated servers, VPS, etc.).
There are many more well known AS numbers that you could eventually block, or challenge, but in the end, it all comes up to what kind of risks you’re willing to take (e.g. if a false positive of blocking potential legitimate users is acceptable).
Setting up such AS lists (to perfection) will vary from website to website, what is useful and what is not. What works for my site, might be a complete disaster for your site, and vice versa.
1 Like
Those are very annoying but unfortunately there is no way to detect those paths, your best bet is filtering those requests on the WAF logs and match any other pattern that you find.
2 Likes
You could try rate limiting on custom HTTP response codes like I did for 403 and 404 errors Rate limiting parameters · Cloudflare Web Application Firewall (WAF) docs. Note though rate limit is per Cloudflare Datacenter location so some of the bad requests will get through the rate limit if the attack is geographically distributed.
rate limiting parameters for custom counting expression Increment counter when it seems Rate limiting parameters · Cloudflare Web Application Firewall (WAF) docs
Looks like increment counting feature is Cloudflare Business plan or higher Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs 
But you can adjust the expression criteria to paths you know are being attacked and analysis from WAF event logs patterns of attack you can target using Rate limiting.
First run test on https://tools.keycdn.com/performance for invalid 404 URL
Second run test of a different random invalid 404 URL notice some locations respond with 429 rate limited response instead of 404 from origin
Also if you’re on paid Cloudflare plan check the entire list of Managed WAF rules as not all are enabled by default and some are related to attack requests like these.
1 Like
If I was you, I will use WAF Custum Rules allowlist like this
if (someone request URIs not listed)
then (block)
so cloudflare will block all random requests b4 reaching origin server.
Block ASN and UA may cause normal user requests to be blocked, so I won’t recommend that.
It looks like someone is trying to scan your entire website, usually to find some “admin login page”. Please pay special attention to whether your website has the possibility of penetration attack.
what is this path based on?
/path/you/use/001
This is just a placeholder for the path your site actually using. If you add all the actual valid paths in the WAF like in the picture, then all other paths except these paths (that is, the random path you are attacked) will be blocked.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.