Replies: 0
For the past 24 hours, we have received a TON of crazy hits all with the same footprint / DNA. They are “referred” and arrive from strange sites to our website and ALL come from the same server/host with various country of origins and IP addresses. However, the hostname gives them away and I am blocking them accordingly.
EXAMPLE:
Netherlands Netherlands arrived from http://mylanguageexchange.com/Search.asp?selCountry=141&selTxtChat=true&Cnt=9 and was blocked for UA/Referrer/IP Range not allowed at https://ourwebsite.com/folders/variouspages/
8/5/2017 10:27:29 AM (1 seconds ago) IP: 178.32.155.125 [unblock] Hostname: ip125.ip-178-32-155.eu
Browser: Chrome version 50.0 running on Win10
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Belgium arrived from https://www.crutchfield.com/S-BRJSHZeLiDP/popups/whybackorder.aspx?i=714R16CSM and was blocked for Manual block by administrator at https://ourwebsite.com/folders/variouspages/
8/5/2017 10:44:16 AM (4 seconds ago) IP: 164.132.188.198 [unblock] Hostname: ip198.ip-164-132-188.eu
Browser: Chrome version 50.0 running on Win10
My questions are twofold:
1) How can I quickly filter these out? I am getting them around one every TWO SECONDS so my live report is 90% RED blocked boxes as you can imagine.
Currently blocking using BLOCKING/AdvancedBlocking
IP Range: Allow all IP addresses
Hostname: *.ip-145-239-62.eu
Since doing so, here’s what has been blocked over the past 12 hours:
Hostname: *.ip-145-239-62.eu
5570 blocked hits
Last blocked: 10 secs ago
Hostname: *.ip-178-32-155.eu
2616 blocked hits
Last blocked: 8 secs ago
Hostname: *.ip-79-137-116.eu
2885 blocked hits
Last blocked: 6 secs ago
2) Not having a filter (or knowing about the filter) to only show LEGITIMATE traffic (bots, humans) prevents me from easily spotting bad traffic and blocking them.
Note: only setting I think can work is the Advanced Settings:
All Hits w/ Advance Settings
Firewall Repsonse = OK
*Suggest a basic setting with All Hits, Not Blocked (or something)
**Clicking to BLOCKED tab then hitting “back” to the live traffic always removes the filter I just set up. If not hardcoding the suggestion above with a standard filter (perhaps one does exist I am unaware of for that too…) but would be nice for WF to save that last setting so the Live Traffic upon hitting back button will save that setting so it’s still applicable.
3) What other settings can I use to divert this traffic? It’s all spam. At what point does WF get overloaded? Is there a way to tell WF to automatically block other sites like this or their routines? The traffic would look semi-normal but what is nice is that WF shows the referring links in RED and when many start hitting our site, it lights up.
Would you recommend setting up a CDN – like right now?
Thanks for any input on this one.
Dave
BTW – I have to say, been using WF for 2 years and it’s just amazing. Thanks for your passion and dedication to this platform and securing the world. You guys rock.