Why I am attacked from these countries Yemen, Syria, Sudan, Turkey

#1

For two weeks now I am under heavy attack from these specific countries:
Yemen
Syria
Sudan
Turkey

The attacker keeps calling the same URL on my server from those countries through mobile networks.

Is it because these countries unstable and under war the mobile networks and internet is not controlled by government or not secure and may be parts controlled by terrorists.

The attacker loads the dynamic document only, does not load the page assets, creates semi regular pattern as follows:

Creates random users session, then inside each session loads the URL at random interval between 1-3 minutes, then every few sessions destroys this user connection completely and start again

So from each country he is generating 1000’s users and and therefor couldflare unable to detect this as an attack and even the firewall on my server unable to detect it as attack because he is randomizing everything even the user-agent text. The only thing he is not randomizing is the URL he is attacking. I think the reason because he choose the largest page size on the website.

Google analytics sees these users but google AdSense does not sees these hits as page views or impressions. So it seems he is creating Webviews browsers loading the URL but the Webviews not visible and therefore AdSense does not count it.

Does anyone face such issues, Any suggestions.

#2

If they always hit the same URL, you may want to Challenge all visitors to that URL with a Firewall Rule:

(http.request.uri.path eq "/some-url/")

You may also block or challenge all visitors from those countries:

(ip.geoip.country in {"SY" "YE" "SD" "TR"})

I have a similar issue with hackers from Ukraine, also a country at war (or the constant threat of). Turkey and (as far as I know) Sudan are not at war, though they may face occasional terrorist threats.

Trying to guess why specific hackers attack from certain nations is fruitless in my opinion, as most criminal hackers will try to obtain foreign IP addresses in order to make it harder for law enforcement to pursue actions against them. So the hacker from Syria or Ukraine may as well be operating out of Germany or Canada, or the other way around.

1 Like
#3

I already did this firewall rule but most normal users go away from those reCapcha. So I lose most normal users by this rule but I have no way I am using it.

I also blocked the “TOR” project country rule.

I am afraid he is using VPN’s from those countries or using any VPN service and it let him select the countries that allow him to chose how he want to appear from these countries.

I do not think cloudflare has any list of the known VPN services IP’s I hope they can make a firewall rule built in like the TOR country.

#4

Can’t you cache this page so that the burden falls on CF as opposed to your servers? Or at least most of the page, with iframes for the dynamic parts.

#5

No, it is a dynamic MySQL driven page. I can not even change the URL because it is popular in google and changing it will led to page not found on external links.

1 Like
#6

And do you have lots of legit traffic from these countries through mobile networks? Otherwise you could find their AS numbers and challenge them.

1 Like
#7

I’m having difficulty wrapping my head around a VPN on a mobile network. OP says attacks are coming from mobile networks as a VPN. As @floripare said, it shouldn’t be difficult to clamp down on AS numbers. And if users don’t like the CAPTCHA, the JS challenge should slow the bots down.

I also believe that a user who passes the CAPTCHA or JS challenge will get a cookie so they don’t have to keep hitting that challenge. I could be wrong about this.

1 Like
#8

If you mean Can attacker use a VPN while connected to a mobile data network?, then yes almost all recent Android devices (not older than 4 years) will have built-in VPN support, usually for the PPTP and L2TP/IPSec protocols. Look for “VPN Settings” or similar and I think most people in the world now have a 4G modem router device connected to the mobile network the same as landline modem router then all the house connects to the wifi through this 4G modem/router.
I have according to google analytics 99.6% of users using their mobile devices so I think most of them connected also through mobile network.
As I said in the first post I assume the attacker built a script/bot simulates a mobile browser and connects through VPN to be able to select the countries he wants his traffic appears from.
I get the attacker IP’s from cloudflare firewall events log and using whos I saw he is using mobile networks in these countries.

#10

The above two are not the same. So they’re probably not coming from a mobile network. And VPNs don’t use mobile networks as an exit point.

The goal here is to narrow down the firewall rules to target the bots. Unfortunately, “Mobile Browser” isn’t one of the options.

It looks like all we can suggest is a firewall rule to limit the four countries with a JS challenge on that one URL.

1 Like
#11

The JS challenge does not work and it seems it is useless in any case because JS code will run if the browser window is not displayed so it will run inside bots on web server, it passes through it normal. The only thing that works is the reCapchta challenge.

1 Like
#12

If they are not coming from a mobile network, but are using mobile user agents, you could create a Firewall Rule that matches any request with a mobile user agent that is NOT coming from a mobile network in the mentioned countries.

First, list the AS numbers and IP ranges from the mobile networks in the mentioned countries, as well as the Country codes, linking them with the AND operator:

Then if you are in a Business Plan, you could use the regular expression Cloudflare uses to match mobile UAs. (Source)

Mobile: (?:phone|windows\s+phone|ipod|blackberry|(?:android|bb\d+|meego|silk|googlebot) .+? mobile|palm|windows\s+ce|opera\ mini|avantgo|mobilesafari|docomo)

Tablet: (?:ipad|playbook|(?:android|bb\d+|meego|silk)(?! .+? mobile))

Desktop: Everything else not matched above.

If you are not on a Business Plan, you could try to rewrite that regular expression in the Firewall Rules editor, as follows:

List keywords that only show in mobile user agents, using the CONTAINS operator linked with the OR logical operator.

Then click on “Edit expression” to enclose the list of UAs within parentheses. At the end, you’d have an expression like this:

(ip.geoip.asnum ne 12345 and not ip.src in {1.2.3.0/24 2.3.4.0/22} and ip.geoip.country in {"SY" "YE" "SD" "TR"} and (http.user_agent contains "mobile" or http.user_agent contains "phone" or http.user_agent contains "iPhone"))

For a list of other mobile user agent keyword, you may check your own logs as well as the above-mentioned regex used by Cloudflare.

You could test this with a JS Challenge, check the logs, and if the intended target is hit, move up to Challenge or Block.

Let us know if this works, and if not, why.

1 Like
#13

even behind vpn you should be able to see their real ip(in most cases), after that you have lots of options:

  1. cant you cache this heavy page? so it wont create bottleneck in your server?
  2. challenge all this countries
  3. enable rate limiting
  4. do you have sample logs of this requests(the more the better, censor private info)
1 Like