#WAF managed challenge bypassed?

Hello, We have managed challenge enabled for all requests to a sub-domain however it seems like it is being bypassed. Looking at the solve rate confuses me however as it says they are not solving the challenge but they are still able to down the domain.

that means that some requests are not being caught and are still reaching your backend

if the sr was higher than 0% it could mean a bypass but out of 3.7M only 17 passed

So then how are they doing it?

either sending requests directly to the backend or the waf isnt catching all the requests

The entire sub domain is behind the managed challenge

and there are no requests not coming from cloudflare

plus firewall only allows CF ips

just taking a guess, checking the hostname allows the requests to pass the rules potentially

if you want to match all requests and still make it a rule, you can do something that will never match.

if country is X and country is Y, its impossible for it to be true and you will be guaranteed that all requests will match against that rule

otherwise enable UAM

its not anything fancy

Yep

just match hostname

if the hostname is that + port, it wont be matched

the hostname can be set to subdomain:443, etc

wait so is this how they are bypassing it?

yep

thats it

sigh...

ok how do I catch that bs?

instead of checking for an exact match, do an include

if hostname contains playavalon.net -> challenge

so this?

that should do it yeah

Is there anything else you would do?

https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366 this has an overview of the steps id take

there are more advanced features you can look into if thats not enough, you can match headers and build expressions that have more versatility than the rule builder allows

my headers are weird

yeah those are definitely anomalous

There are just so many though

theres many anomalies that you will find once you visualize the data thats available on the dash

x-requested is one, referrer also gives you a good indicator

you could also check if the accept or accept-language headers are valid (or even present)

How do I even do that.

not any(lower(http.request.headers.names[*])[*] eq "accept") or not any(lower(http.request.headers.names[*])[*] eq "accept-language")

i think that should work

the docs have a few examples of using more advanced patterns

you need to click on edit expression and add it manually

this will check if either accept or accept-language are missing on the request

I have also been wanting to setup rate limiting but I keep false positive people when I try

yeah thats one of the issues you can find when using rate limit

gotta be careful with it

sloth is the best fr

this is next level support

It didn't do it

They are still not being given the challenge

Sloth never woke up it seems 😦

Lol

What seems to be the purpose of the attack? Are they trying to login or something (to your panel) or is just traffic meant to overwhelm your servers/site?

just curious 🙂

You said you got false positives with the Rate Limiting rule? How so?

And they're still sending traffic, even though you have the managed challenge on the Panel?

https://pterodactyl.io/ overwhelm the server

I just kept getting ourselves triggered as each server on ptero does multiple api calls to check cpu,ram,network usage constantly

yes

but they aren't "solving" the managed challenge it seems like the random ports they do don't get blocked and still get forwarded to the server

even though those ports aren't even open

You can configure a WAF rule to skip the Rate Limit if it matches your server (IP, User Agent, etc) btw 🙂

I am talking about my personal ip getting blocked

and my ip is dynamic

Can't you whitelist your IP's ASN (ISP Provider)?

Add it to the Skip Rate Limit Rule 🙂

I could yes but I would have to do that for every person who uses the panel.

I mean wouldn't that be worth it? 😄

oh you mean your customers

well...

the rate limit should be configured so that enough requests can get through for legit requests

you wouldn't want it to be like 10 requests per 10 second obviously

I'd prob set it to like idk.. 250/10 seconds or something

obv people spamming your site would hit that easily

But it sounds like you don't have something configured correctly if you still have requests coming in (with different ports)

the domain rule should be working on panel.playavalon.net if you have that

I don't understand it. the ports are closed

only 80&443 are open

The ports don't have to be open

It's just telling you that they're sending requests to those ports

doesn't mean they're open

Is this image from your WAF page?

this is just showing you a list of hosts.. why do you think they went through?

If I sort by status code 200 they still show up

If you go to your WAF event log.. are there requests that are getting blocked/challenged.. or are they all 200's ?

some get blocked some are allowed

What's the CSR?

There have been WAAAY more than 16mil requests

Ok instead of Managed Challenge.. change the action to an "Interactive Challenge"

maybe they're getting around the managed challenge (js) somehow

that will show them a captcha

I already tried that

Hmm ok. How many ips/user agents are there? Alot of different ones i'm assuming?

idek how to show more than 15 without constantly excluding

So I would prob rely on the rate limiting rule.. since they may be bypassing the captcha somehow?

Try setting the rate limit to 500/10 seconds

and then do block for an hour

that's prob your best bet

they'll give up after awhile

it won't be worth it if all their ips are rate limited for an hour

there's no way someone doing legit requests on the frontend website is doing 500 requests per 10 seconds

I would love to see the logs for the requests that are 200 tho

if you can figure out how to get that somehow

like the full request headers

I ship all my request logs to Axiom personally.. so I can search/log every request

you can prob log requests on your origin server, no?

I have nginx logs

Ah yeah check those.. are they sending some sort of Cloudflare cookie.. that would authorize them (past the captcha)?

the cookie would prob the same on all requests (I think?)

cf_clearance cookie maybe?

access log doesn't have that

Hmm? uhhhh.. they should

can you share a full output of the headers if you don't mind?

Can I dm you the log file?

Yeah sure

sec

Go ahead 🙂

upload speed sucks gonna take a sec

Ouch this is good to know