High Number of Security Threats
I just got an email saying Cloudflare detected 633 Security Threats for my domain. It also says this is more than the average site on cloudflare... I am so confused as to why this would be the case?? Am I being targeted? My domain isn't really even out there right now! I just use it as a reverse proxy now, though my plan is to use it for a public facing domain in the future... but it's not out there at all right now? Why would I be getting this many security threats esp. when my domain isn't really public? I've even blocked all traffic except traffic from the US, so I don't know how the threat number is so high! Sort of freaking out..
5 Replies
I posted but no reply so I wasn't sure if issues over the weekend got looked at. As I said I'm freaking out and I don't know where/who to reach out to.
What do you mean its fine? It said it's an above normal number of threats and I havent advertised the site anywhere at all -- just a reverse proxy
I believe those include your own blocks/waf rules so you may just be causing your own panic.
Why would I be getting this many security threats esp. when my domain isn't really public?There's a lot of bots which just scan websites/the internet constantly. Domains are discovered and scanned super quickly on every SSL Certificate Issuance via something called Certificate Transparency Logs, intended to raise transparency/tracking of certificates but they also allow bots to listen by their nature. You'll up to a thousand or so requests from that easily. Hacks don't magically happen, if you're worried make sure your origin stays up to date on updates and secure your origin by at the very least allowlisting only CF IPs (https://developers.cloudflare.com/fundamentals/basic-tasks/protect-your-origin-server/), (or if shared hosting you can use and check a secret header), so that all traffic goes through Cloudflare first and you benefit from CF's free WAF/mitigations.
I know of the general standby webcrawling hum of the internet but the 'above average' part is what worried me most. If It's only a little above average that's normal (I think). But if its nonnegligibly above average I would think I've somehow signaled (through some setting or the disabling of some setting or other observable thing) that I'm low hanging fruit, inviting a hacker to target me with a more advanced/targeted hack that I'm not prepared for. I don't know what I'd do in that situation other than take the domain down :/...
However!!!
If that number includes blocking rules that would be such a relief. It would mean my Non-US blocking rule is what is causing the threat number to be so high. On the other hand, if it was the blocking rule, I would think the number would be even higher. :/
Is there a way to see the threats blocked?
Analytics & Logs -> Security under your website in the dash
that I'm low hanging fruit, inviting a hacker to target me with a more advanced/targeted hack that I'm not prepared for.not really how that works/not what I would be worried about. There's so many domains out there and on CF that aren't used/idle/etc that average can easily be misleading.
God, thank you.
The security page was kinda confusing. It listed all threats as unclassified, and also said WAF rules are not counted as threats.
That said, the number of threats matched up with the number of Firewall logs. So I'm just going to look at that and see if it tracks. Because that threat number makes a lot of sense if its country blocking.
Thanks again!