Urgent - help setting a block rule for POST attacks

Hello,

We had been getting POST ddos attacks on our homepage and managed to block them using a rule:

URI equals “/” and Method equals POST then BLOCK.

However, now encountered this kind of attacks:

92.244.99.229 - - [10/Oct/2020:17:32:26 +0000] “HEAD /?id=9117105f0111d4d03aed76ed0c30ac27 HTTP/1.0” 200 384 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36”
171.100.220.216 - - [10/Oct/2020:17:32:26 +0000] “POST /?id=fd2a15c86eb3bb5fbb8cda866b213f64 HTTP/1.0” 200 21888 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36”

can someone suggest how to set a firewall rule that will block the above, as the previous one isn’t catching and blocking them?

Thanks

You might want to use this instead

(http.request.uri.path eq "/" and http.request.method ne "GET")

thanks Sandro.

Should I block HEAD from homepage like POST?
what about logged in users (to the backend of the site)?

Also, how to solve/block the /?id=* addiitons to the URL?

thanks

will this rule solve it? and block requests such as:

171.100.220.216 - - [10/Oct/2020:17:32:26 +0000] “POST /?id=fd2a15c86eb3bb5fbb8cda866b213f64 HTTP/1.0” 200 21888 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36”

Ehm, what about what I wrote?

it wont block /?id=* requests…

Why do you think so?

because eq “/” isn’t contains /?id=
otherwise the current rule would have blocked the POST requests of /?id=

And it doesn’t need to contain it.

I am really questioning why I post the solution if you don’t even care to try it out. Additionally I would suggest to check out https://developers.cloudflare.com/firewall/cf-firewall-language/fields/

but sir, I appreciate your help, but we have this rule:
(http.request.uri eq “/” and http.request.method eq “POST”)
and this didn’t block this request:
[10/Oct/2020:17:32:26 +0000] “POST /?id=fd2a15c86eb3bb5fbb8cda866b213f64 HTTP/1.0” 200 21888 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
so that’s why I came to conclusion it won’t solve it.

Ehm, again, what about the rule I posted? We are going in circles here and you could have fixed that an hour ago.

Your rule is checking the entire URI. Not URI Path, as suggested.

ohh yeah, now I see.

so should I change this rule:
(http.request.uri eq “/” and http.request.method eq “POST”)

to:
(http.request.uri.path eq “/” and http.request.method eq “POST”)

?

and second question - other than POST request, what are HEAD requests used for? wondering if should block them too (on the homepage).

Two hours ago, two hours ago.

1 Like

Alternatively you can also try

(http.request.uri.query contains "id=")

But then, it all depends on your setup and you didn’t really go into details here.

thanks for your kind help! Sandro