Use CloudFlare? Share your ASN blocks

[Tracy]

One feature I love about CF is the ability to block entire ASN's as well as specific IPs.
A few of the more recent that I have added as I get a LOT o "crap" from servers in their data centers (and since those aren't users, I don't have issues with blocking the entire ASN) are:
132203 (TENCENT-NET-AP-CN - China)
45899 (VNNIC-ASBLOCK-VN - Vietnam)
50565 (MuzafferGuler - Turkey)
135407 (TES-PL-AS-AP - Pakistan)
208312 (Red Byte LLC - Russia)
35913 (DEDIPATH-LLC - United States)
149428 (CODE200-AS-AP - Lithuania)
21859 (ZEN-ECN - United States)
22363 (POWER157 - United States)
136557 (HOST-AS-AP - Australia)

I don't do a full block... but they do have to go through a interactive challenge to get to the site. Since I've done this, a lot of my 404 errors (tracked by an add-on) to the site have bit the big one.
These are some of the attempts that have been presented:




Many of these are simply bots running out of data centers looking for an ingress point. With CF, you can block them totally or allow access based upon certain criteria.
Just to give an idea... I implemented these about 2 days ago.



I run the "good bots" on CF, but anything else that is being used, I really don't want wasting the time of my site.
The main portion of these are data centers... which honestly have NO reason to be accessing your site as a "user"... if you see them, then they are typically a bot working to spam your site.

So, what ASN's have you blocked?

 

[Tracy]

And one more to add to the collection

36352 (AS-COLOCROSSING - United States)

 

[Uncrowned]

This is a pretty clever way to combat spam. Plus if it does give a false positive, then the user can still bypass it.

 

[Tracy]

This is a pretty clever way to combat spam. Plus if it does give a false positive, then the user can still bypass it.

It's really doubtful any valid users will be coming in via a data center, but there could be the occasional one that is coming in through a private VPN, and I have no issues with that. That's why I set it up to use the CF captcha challenge (as it is also somewhat bot aware) and most scanning bots aren't able to handle a captcha.

 

[Tracy]

Just checking my CF ASN blocks... and over a 3 hour period, had over 400 attempts from the Turkey ASN trying to hit the /register and /login links on them. Pretty good indicator it's a bot! Of course, all stopped at the CF firewall.



<EDIT>
and now we are up to 983 just from this one IP in less than a 12 hour period.
Block at CF level... save your server some "horse power".

 

[Tracy]

I guess nobody else here actually utilizes the functions that CloudFlare offers even on the free tiers?
Surprising... 24 hours later and I have over 3K entires in my log file with CF on my ASN checks alone. And my site is a small, insignificant site when compared to others... I can only imagine how much "crap" the larger ones get thrown at them and that if it wasn't mitigated at a higher level would "steal" server resources.

A few more

54538 (Palo Alto Networks - US) apparently a "security" company that scans scans/spams your site
58057 (SecureBit AG - CH -Switzerland) - apparently another "security" company that loves to scan sites
55286 (B2 Net Solutions - CA) Yet another data center that really has NO reason to be interacting with your site
212238 (DataCamp Limited - UK) a VPN provider
9009 (M247 Europe) another VPN provider

 

[Tracy]

And the latest.
203020 (HostRoyale Technologies Pvt Ltd - India)
14061 (Digital Ocean - Singapore) - IP 157.230.249.54 scanning for WordPress vulnerabilities, likely a Script-Kiddies bot

 

[Cedric]

Thanks Tracy, I’ll be adding these to CF.

 

[Tracy]

Thanks Tracy, I’ll be adding these to CF.

Note... I don't "block" them, but I do use the challenge ability of CF... that way, if they are a valid user, they can still get through.

 

[Tracy]

I know this had to do with ASN blocks.. but CF is some good stuff. Just the last 24 hours for my small site.

 

[Tracy]

This is a classic example of why one should not put a lot of weight on statistics gathered by providers for your site... as detailed above, I have recently rolled out a LOT of changes that either totally block certain IP's based upon CF "threat vector" and then limit via ASN/IP to managed challenge... since I've rolled this out, this is what my CF stats are showing (when I REALLY got into using URI paths to block certain sites).

 

[Tracy]

One more reason to not necessarily use a total block for ASN's...
I use managed challenges... and as you can see, 4 of the 46 were solved... could they be bots.. sure, but odds aren't that high.

 

[kensonplays]

I use CF (for domain even) but I've never heard of ASN. Where is the setting located? I'm on the free plan.

 

[Tracy]

I use CF (for domain even) but I've never heard of ASN. Where is the setting located? I'm on the free plan.

I'm also on the free plan.. so with only 5 sets of rules, I had to combine some stuff into simply either actual blocks or managed challenges.
It's under the Security settings as your WAF.



You have to create a new rule and use the ASN or IP blocking

 

[kensonplays]

I'm also on the free plan.. so with only 5 sets of rules, I had to combine some stuff into simply either actual blocks or managed challenges.
It's under the Security settings as your WAF.

View attachment 1490

You have to create a new rule and use the ASN or IP blocking

View attachment 1491

Thanks, I only have 4 spaces left since I have one that blocks XF internal directory. I believe it was a suggested one from digitalpoints plugin.

 

[Tracy]

It's do-able with only 5

 

[Tracy]

Just thought I'd mention this... for me, the partial URI path block entries are more important than the ASN/IP blocks...so I recently moved the URI path blocks above the ASN/IP rule... that way, they get blocked before they even get presented with a challenge.

 

[Tracy]

Who amongst us would use an ISP with a "name" of Zjznjsjtyxgs?

Why am I not surprised that that IP is out of China? Smells like another BS spammer IP to me!

 

[Tracy]

For any interested... here is my current CF expression" for ASN/IP/bad behavior blocks.

(ip.geoip.asnum eq 132203) or (ip.src eq 217.146.82.231) or (ip.src eq 83.97.73.89) or (ip.geoip.asnum eq 45899) or (ip.geoip.asnum eq 50565) or (ip.src eq 64.137.97.230) or (ip.geoip.asnum eq 135407) or (ip.geoip.asnum eq 208312) or (ip.geoip.asnum eq 35913) or (ip.geoip.asnum eq 149428) or (ip.geoip.asnum eq 21859) or (ip.src eq 20.219.13.191) or (ip.geoip.asnum eq 208312) or (ip.geoip.asnum eq 22363) or (ip.geoip.asnum eq 136557) or (ip.geoip.asnum eq 36352) or (ip.geoip.asnum eq 54538) or (ip.geoip.asnum eq 58057) or (ip.geoip.asnum eq 55286) or (ip.geoip.asnum eq 9009) or (ip.geoip.asnum eq 212238) or (ip.geoip.asnum eq 203020) or (ip.geoip.asnum eq 14061) or (ip.geoip.asnum eq 25159) or (ip.geoip.asnum eq 965) or (ip.geoip.asnum eq 398101) or (ip.geoip.asnum eq 36352) or (ip.geoip.asnum eq 62904) or (ip.geoip.asnum eq 206092) or (ip.geoip.asnum eq 207651) or (ip.geoip.asnum eq 16276) or (ip.geoip.asnum eq 39134) or (ip.geoip.asnum eq 56067) or (ip.geoip.asnum eq 12552) or (ip.geoip.asnum eq 16509) or (ip.geoip.asnum eq 135258) or (ip.geoip.asnum eq 58461) or (ip.geoip.asnum eq 57523) or (ip.geoip.asnum eq 4134)

You should be able, if you use ASN blocks with CF currently) to your existing rules.
Simply choose Edit Expression in your CF WAF definition and add them in.

 

[Tracy]

Now, want some uri/path blocks... here 'ya go.
Realize.. if you run a WordPress site many of these will NOT work as they are specific to my XenForo install which does NOT have WP anywhere near it.
And I list these as FULL ON blocks in the CF WAF settings... they have NO reason to be "connecting".

(http.request.uri.path contains "/alfacgiapi/") or (http.request.uri.path contains "/wp-includes") or (http.request.uri.path contains "/cgi_bin/") or (http.request.uri.path contains "/remote/login") or (http.request.uri.path contains "/webfig/") or (http.request.uri.path contains "/solr/") or (http.request.uri.path contains "/owa/") or (http.request.uri.path contains "/mgmt/") or (http.request.uri.path contains "/symfony") or (http.request.uri.path contains "aws.yml") or (http.request.uri.path contains "/_profiler/") or (http.request.uri.path contains "/public/client/") or (http.request.uri.path contains "templates/editor-preload-container") or (http.request.uri.path contains "template/custom/content-editor") or (http.request.uri.path contains "templates2/viewpagetemplate.action") or (http.request.uri.path contains "pages/doenterpagevariables.action") or (http.request.uri.path contains "/wiki/pages/createpage-entervariables.action") or (http.request.uri.path contains "/wiki/pages") or (http.request.uri.path contains "/confluence/pages") or (http.request.uri.path contains "/login.phtml") or (http.request.uri.path contains ".aspx") or (http.request.uri.path contains ".pho") or (http.request.uri.path contains "/pages/createpage.action") or (http.request.uri.path contains "app?service=page/PrinterList") or (http.request.uri.path contains "/mgmt/tm/util/bash") or (http.request.uri.path contains "saas./resttosaasservlet") or (http.request.uri.path contains "/cpanel/") or (http.request.uri.path contains "/_all_dbs") or (http.request.uri.path contains "jira-webapp-dist") or (http.request.uri.path contains "microsoft.exchange.ediscovery") or (http.request.uri.path contains "/server-status") or (http.request.uri.path contains "/view?panel=config") or (http.request.uri.path contains "/remote/login?lang=en") or (http.request.uri.path contains "/alfa-rex.php7") or (cf.threat_score ge 50) or (http.request.uri.path contains "/_ignition") or (http.request.uri.path contains "/vendor/phpunit") or (http.request.uri.path contains "/administrator/index.php") or (http.request.uri.path contains " /geoserver") or (http.request.uri.path contains "onvif/device_service") or (http.request.uri.path contains "/remote/logincheck") or (http.request.uri.path contains "/Autodiscover/Autodiscover.xml") or (http.request.uri.path contains "/WPnBr.dll") or (http.request.uri.path contains "/templates/editor-preload-container") or (http.request.uri.path contains "/templates2") or (http.request.uri.path contains "/createpage.action?spaceKey=myproj") or (http.request.uri.path contains "/doenterpagevariables.action") or (http.request.uri.path contains "/createpage-entervariables.action") or (http.request.uri.path contains ".php7") or (http.request.uri.path contains "FD873AC4-CF86-4FED-84EC-4BD59C6F17A7") or (http.request.uri.query contains "phpstorm") or (http.request.uri.path contains "/wsman") or (http.request.uri.path contains "/testing/") or (http.request.uri.path contains "main/get") or (http.request.uri.path contains "_data/config/config/get") or (http.request.uri.path contains "app/login") or (http.request.uri.path contains "member/showSign") or (http.request.uri.path contains "web/goWeb/") or (http.request.uri.path contains "ajax/index_b_trends") or (http.request.uri.path contains "login/smsRand") or (http.request.uri.path contains "/live/getRealIP") or (http.request.uri.path contains "market/home/query") or (http.request.uri.path contains ".shtml") or (http.request.uri.path contains "/publics/") or (http.request.uri.path contains "/market/index/") or (http.request.uri.path contains "+CSCOE+/logon.html")

Since I've instituted these on my XF site (and somewhat modified for my personal blog)... the "crap" connections that I used to get (which steal resources) have dropped drastically. They get cut off at the knees at the CloudFlare level.
As an example


At one point (for a 24 hour period) the IP/ANS entry sat in the 4000 range.