Urgent - help setting a block rule for POST attacks

Hello,

We had been getting POST ddos attacks on our homepage and managed to block them using a rule:

URI equals “/” and Method equals POST then BLOCK.

However, now encountered this kind of attacks:

92.244.99.229 - - [10/Oct/2020:17:32:26 +0000] “HEAD /?id=9117105f0111d4d03aed76ed0c30ac27 HTTP/1.0” 200 384 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36”
171.100.220.216 - - [10/Oct/2020:17:32:26 +0000] “POST /?id=fd2a15c86eb3bb5fbb8cda866b213f64 HTTP/1.0” 200 21888 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36”

can someone suggest how to set a firewall rule that will block the above, as the previous one isn’t catching and blocking them?

Thanks

You might want to use this instead

(http.request.uri.path eq "/" and http.request.method ne "GET")

thanks Sandro.

Should I block HEAD from homepage like POST?
what about logged in users (to the backend of the site)?

Also, how to solve/block the /?id=* addiitons to the URL?

thanks

will this rule solve it? and block requests such as:

171.100.220.216 - - [10/Oct/2020:17:32:26 +0000] “POST /?id=fd2a15c86eb3bb5fbb8cda866b213f64 HTTP/1.0” 200 21888 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36”

Ehm, what about what I wrote?

it wont block /?id=* requests…

Why do you think so?

because eq “/” isn’t contains /?id=
otherwise the current rule would have blocked the POST requests of /?id=

And it doesn’t need to contain it.

I am really questioning why I post the solution if you don’t even care to try it out. Additionally I would suggest to check out https://developers.cloudflare.com/firewall/cf-firewall-language/fields/

but sir, I appreciate your help, but we have this rule:
(http.request.uri eq “/” and http.request.method eq “POST”)
and this didn’t block this request:
[10/Oct/2020:17:32:26 +0000] “POST /?id=fd2a15c86eb3bb5fbb8cda866b213f64 HTTP/1.0” 200 21888 “https://URL.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64)
so that’s why I came to conclusion it won’t solve it.

Ehm, again, what about the rule I posted? We are going in circles here and you could have fixed that an hour ago.

Your rule is checking the entire URI. Not URI Path, as suggested.

ohh yeah, now I see.

so should I change this rule:
(http.request.uri eq “/” and http.request.method eq “POST”)

to:
(http.request.uri.path eq “/” and http.request.method eq “POST”)

?

and second question - other than POST request, what are HEAD requests used for? wondering if should block them too (on the homepage).

Two hours ago, two hours ago.

1 Like

Alternatively you can also try

(http.request.uri.query contains "id=")

But then, it all depends on your setup and you didn’t really go into details here.

thanks for your kind help! Sandro

This topic was automatically closed after 30 days. New replies are no longer allowed.