Website being scanned / attack

Website, Application, Performance Security
1

What is the name of the domain?

spectrapaints.com.au

What is the issue you’re encountering

website is being crawled by malware by hackers cannot stop it

What steps have you taken to resolve the issue?

website behind cloudflare, WAF is enabled but doesnt seem to be blocking these kind of attacks, firewall is active at the web host, so only cloudflare ip address can access 443 and 80 but no matter what, i can still see attacks on our ip address, it seems the address belongs to microsoft server farm, either someone is an azure customer using their services for malicious services or microsoft is scanning the internet for advice

any ideas how to stop this using cloudflare services? tried also setting up a flood threshold to prompt captcha but didnt work

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

What are the steps to reproduce the issue?

cannot reproduce the attack

Screenshot of the error

cloudflare ask stop attack timestamped masked.png
cloudflare ask stop attack timestamped masked.png927×911 11.6 KB

2

Block AS8075 using a custom WAF rule (add an exception for known search engines if you worry about Bing). This Microsoft AS has had bots spewing such stuff for a while now.

2 Likes
3

any others we can block??

does this look good:

(ip.src.asnum in {8068 8069 8070 8071 8072 8073 8074 8075} and not http.user_agent contains “bingbot”)

4

There are lists you can use if you want, one is here…

Make sure to add an exceptions for third party tools that need access to your site.

5

how about this:

(
ip.src.asnum in {
# High-risk ASNs (spammy, cloud providers, attackers)
8075, 13335, 45139, 3598, 16509, 20473, 14061, 14618, 16276, 23455, 23650, 24916, 26415, 26466, 27699, 33438, 40065, 42473, 43531, 45503, 45522, 45595, 45642, 45758, 45834, 45930, 46071, 46115, 46264, 46384, 46455, 46598, 46606, 46662, 46786, 46844, 46996, 47066, 47196, 47229, 47328, 47447, 47542, 47582, 47692, 47741, 47872, 47969, 48043, 48163, 48201, 48361, 48429, 48550, 48609, 48724, 48811, 48940, 49044, 49100, 49245, 49311, 49404, 49535, 49616, 49704, 49846, 49905, 50048, 50124, 50231, 50304, 50429, 50545, 50644, 50763, 50839, 50967, 51070, 51167, 51277, 51371, 51405, 51539, 51659, 51706, 51828, 51900, 52000, 52075, 52173, 52236, 52334, 52490, 52549, 52664, 52790, 52866, 52993, 53006, 53182, 53213, 53334, 53481, 53501, 53667, 53755, 53841, 53930, 54021, 54113, 54204, 54314, 54400, 54544, 54624, 54728, 54802, 54907, 55029, 55123, 55254, 55330, 55470, 55551, 55644, 55721, 55836, 55960, 56050, 56173, 56253, 56367, 56443, 56578, 56666, 56764, 56850, 56971, 57062, 57172, 57286, 57363, 57491, 57584, 57671, 57783, 57862, 57957, 58063, 58172, 58271, 58367, 58453, 58543, 58677, 58762, 58871, 58963, 59057, 59143, 59253, 59345, 59439, 59553, 59645, 59737, 59833, 59925, 60021, 60117, 60213, 60309, 60405, 60501, 60597, 60693, 60789, 60885, 60981, 61077, 61173, 61269, 61365, 61461, 61557, 61653, 61749, 61845, 61941, 62037, 62133, 62229, 62325, 62421, 62517, 62613, 62709, 62805, 62901, 62997, 63093, 63189, 63285, 63381, 63477, 63573, 63669, 63765, 63861, 63957, 64053, 64149, 64245, 64341, 64437, 64533, 64629, 64725, 64821, 64917, 65013, 65109, 65205, 65301, 65397, 65493, 65589, 65685, 65781, 65877, 65973, 66069, 66165, 66261, 66357, 66453, 66549, 66645, 66741, 66837, 66933, 67029, 67125, 67221, 67317, 67413, 67509, 67605, 67701, 67797, 67893, 67989, 68085, 68181, 68277, 68373, 68469, 68565, 68661, 68757, 68853, 68949, 69045, 69141, 69237, 69333, 69429, 69525, 69621, 69717, 69813, 69909, 70005, 70101, 70197, 70293, 70389, 70485, 70581, 70677, 70773, 70869, 70965, 71061, 71157, 71253, 71349, 71445, 71541, 71637, 71733, 71829, 71925, 72021, 72117, 72213, 72309, 72405, 72501, 72597, 72693, 72789, 72885, 72981, 73077, 73173, 73269, 73365, 73461, 73557, 73653, 73749, 73845, 73941, 74037, 74133, 74229, 74325, 74421, 74517, 74613, 74709, 74805, 74901, 74997, 75093, 75189, 75285, 75381, 75477, 75573, 75669, 75765, 75861, 75957, 76053, 76149, 76245, 76341, 76437, 76533, 76629, 76725, 76821, 76917, 77013, 77109, 77205, 77301, 77397, 77493, 77589, 77685, 77781, 77877, 77973, 78069, 78165, 78261, 78357, 78453, 78549, 78645, 78741, 78837, 78933, 79029, 79125, 79221, 79317, 79413, 79509, 79605, 79701, 79797, 79893, 79989, 80085, 80181, 80277, 80373, 80469, 80565
}
and not (
# Allow search engines (Google, Bing, Yandex, etc.)
(http.user_agent contains “Googlebot” and ip.src.reverse_dns ends_with “.googlebot.com”) or
(http.user_agent contains “bingbot” and ip.src.reverse_dns ends_with “search.msn.com”) or
(http.user_agent contains “YandexBot” and ip.src.reverse_dns ends_with “.yandex.com”) or
(http.user_agent contains “DuckDuckBot” and ip.src.reverse_dns ends_with “.duckduckgo.com”) or
(http.user_agent contains “Applebot” and ip.src.reverse_dns ends_with “.applebot.apple.com”) or
# Allow social/media crawlers (Facebook, Twitter, LinkedIn)
(http.user_agent contains “facebookexternalhit” and ip.src.reverse_dns ends_with “.fbsv.net”) or
(http.user_agent contains “Twitterbot” and ip.src.reverse_dns ends_with “.twttr.com”) or
(http.user_agent contains “LinkedInBot” and ip.src.reverse_dns ends_with “.linkedin.com”) or
# Allow monitoring (UptimeRobot, Pingdom, etc.)
(http.user_agent contains “UptimeRobot” and ip.src.reverse_dns ends_with “.uptimerobot.com”) or
(http.user_agent contains “Pingdom” and ip.src.reverse_dns ends_with “.pingdom.com”) or
# Allow AI crawlers (OpenAI, Common Crawl)
(http.user_agent contains “GPTBot” and ip.src.reverse_dns ends_with “.openai.com”) or
(http.user_agent contains “CCBot” and ip.src.reverse_dns ends_with “.commoncrawl.org”)
)
)

6

It is better to use Cloudflare’s verified bot field than use user agent, since user agents are easily spoofed to bypass your rule.

7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.