Ocean West Posted July 15, 2021 Posted July 15, 2021 (edited) many from Russia federation ISP has been blocking IP ranges and were hitting 90+ percent this page has thousands of hits /index.php?app=core&module=system&controller=terms&do=dismiss&ref=aHR0cHM6Ly9mbWZvcnVtcy5jb20v&csrfKey=57b5fbe3994e7853b63828caa0779e88 what table could I see guest access and ip's sorted by time trying to go thru the who is online and clicking links is tedous (on top of this I am going off the grid for the weekend camping ) Edited July 15, 2021 by Ocean West
Randy Calvert Posted July 15, 2021 Posted July 15, 2021 I've had a LOT of spam registrations from both China and Russia. It got to the point where I finally used the Cloudflare WAF to deny traffic from those two countries. CoffeeCake 1
CoffeeCake Posted July 15, 2021 Posted July 15, 2021 You definitely want to handle this externally from IPS. Look at either setting up a firewall or using a CDN in front of your install that prevents this from happening.
Ocean West Posted July 22, 2021 Author Posted July 22, 2021 Ok post mortem - I am finally back to civilization after going camping and my ISP told me my server was getting thousands of hits a second on that page - he didn't see any redirects but rather direct links to that url. He thought it was some forum vulnerability - not entirely sure. He mitigated it while I was away blocking thousands of IP address both IPV4 and 6 in addition to entire countries, after awhile things returned to a normal level. I was in the process of switching to Cloudflare but didn't have a chance to implement it before I was out of internet range. He told me today that another one of his clients had an attack on a server and they were using Cloudflare, the attackers were spoofing them or such.
Jim M Posted July 23, 2021 Posted July 23, 2021 20 hours ago, Ocean West said: He thought it was some forum vulnerability - not entirely sure. There are no known vulnerabilities. Were these IPs (or variations) hitting other URLs too? If so, probably some rogue bot that has saved a bunch of URLs and going back. The specific URL you mentioned would create an error as the CSRF key had expired if they went back to it I saw this a lot on my personal community with Russia with text scraper bots and just blocked the whole country.
Ilya Hoilik Posted July 23, 2021 Posted July 23, 2021 13 minutes ago, Jim M said: I saw this a lot on my personal community with Russia with text scraper bots and just blocked the whole country.
Ocean West Posted August 3, 2021 Author Posted August 3, 2021 Ok its been back all night I moved dns records over to CloudFlare and setup a firewall and blocked Russia but hits spike the second I turn off under attack mode... Any advice?
Recommended Posts