WAF managed challenge bypassed?
Hello, We have managed challenge enabled for all requests to a sub-domain however it seems like it is being bypassed. Looking at the solve rate confuses me however as it says they are not solving the challenge but they are still able to down the domain.
49 Replies
So then how are they doing it?
The entire sub domain is behind the managed challenge
and there are no requests not coming from cloudflare
plus firewall only allows CF ips
its not anything fancy
just match hostname
wait so is this how they are bypassing it?
sigh...
ok how do I catch that bs?
so this?
Is there anything else you would do?
my headers are weird
There are just so many though
How do I even do that.
I have also been wanting to setup rate limiting but I keep false positive people when I try
sloth is the best fr
this is next level support
It didn't do it
They are still not being given the challenge
Sloth never woke up it seems 😦
Lol
What seems to be the purpose of the attack? Are they trying to login or something (to your panel) or is just traffic meant to overwhelm your servers/site?
just curious 🙂
You said you got false positives with the Rate Limiting rule? How so?
And they're still sending traffic, even though you have the managed challenge on the Panel?
https://pterodactyl.io/ overwhelm the server
Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
I just kept getting ourselves triggered as each server on ptero does multiple api calls to check cpu,ram,network usage constantly
yes
but they aren't "solving" the managed challenge it seems like the random ports they do don't get blocked and still get forwarded to the server
even though those ports aren't even open
You can configure a WAF rule to skip the Rate Limit if it matches your server (IP, User Agent, etc) btw 🙂
I am talking about my personal ip getting blocked
and my ip is dynamic
Can't you whitelist your IP's ASN (ISP Provider)?
Add it to the Skip Rate Limit Rule 🙂
I could yes but I would have to do that for every person who uses the panel.
I mean wouldn't that be worth it? 😄
oh you mean your customers
well...
the rate limit should be configured so that enough requests can get through for legit requests
you wouldn't want it to be like 10 requests per 10 second obviously
I'd prob set it to like idk.. 250/10 seconds or something
obv people spamming your site would hit that easily
But it sounds like you don't have something configured correctly if you still have requests coming in (with different ports)
the domain rule should be working on panel.playavalon.net if you have that
I don't understand it. the ports are closed
only 80&443 are open
The ports don't have to be open
It's just telling you that they're sending requests to those ports
doesn't mean they're open
Is this image from your WAF page?
this is just showing you a list of hosts.. why do you think they went through?
If I sort by status code 200 they still show up
If you go to your WAF event log.. are there requests that are getting blocked/challenged.. or are they all 200's ?
some get blocked some are allowed
What's the CSR?
There have been WAAAY more than 16mil requests
Ok instead of Managed Challenge.. change the action to an "Interactive Challenge"
maybe they're getting around the managed challenge (js) somehow
that will show them a captcha
I already tried that
Hmm ok. How many ips/user agents are there? Alot of different ones i'm assuming?
idek how to show more than 15 without constantly excluding
So I would prob rely on the rate limiting rule.. since they may be bypassing the captcha somehow?
Try setting the rate limit to 500/10 seconds
and then do block for an hour
that's prob your best bet
they'll give up after awhile
it won't be worth it if all their ips are rate limited for an hour
there's no way someone doing legit requests on the frontend website is doing 500 requests per 10 seconds
I would love to see the logs for the requests that are 200 tho
if you can figure out how to get that somehow
like the full request headers
I ship all my request logs to Axiom personally.. so I can search/log every request
you can prob log requests on your origin server, no?
I have nginx logs
Ah yeah check those.. are they sending some sort of Cloudflare cookie.. that would authorize them (past the captcha)?
the cookie would prob the same on all requests (I think?)
cf_clearance cookie maybe?
access log doesn't have that
Hmm? uhhhh.. they should
can you share a full output of the headers if you don't mind?
Can I dm you the log file?
Yeah sure
sec
Go ahead 🙂
upload speed sucks gonna take a sec
Ouch this is good to know
Cloudflare should probably document that and/or add a host without the port field