Website Under Attack

This morning I woke up to over 7000 emails from my Django server of Disallowed Host errors. My app is correctly rejecting the requests, which are all coming from a single IP address and are also trying to access my site at the IP level rather than the domain. Here is an example: Invalid HTTP_HOST header: '35.230.16.13:6868'. You may need to add '35.230.16.13' to ALLOWED_HOSTS. DisallowedHost at /druid/index.html Invalid HTTP_HOST header: '35.230.16.13:6868'. You may need to add '35.230.16.13' to ALLOWED_HOSTS. Request Method: GET Request URL: http://35.230.16.13:6868/druid/index.html Exception Value: Invalid HTTP_HOST header: '35.230.16.13:6868'. You may need to add '35.230.16.13' to ALLOWED_HOSTS. Request information: USER: [unable to retrieve the current user] GET: No GET data POST: No POST data FILES: No FILES data COOKIES: No cookie data META: HTTP_ACCEPT = '/' HTTP_ACCEPT_ENCODING = 'gzip' HTTP_ACCEPT_LANGUAGE = 'en' HTTP_CONNECTION = 'close' HTTP_HOST = '35.230.16.13:6868' HTTP_USER_AGENT = 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Information Security Team InfraSec Scanner' PATH_INFO = '/druid/index.html' QUERY_STRING = '' RAW_URI = '/druid/index.html' REMOTE_ADDR = '34.87.32.244' REMOTE_PORT = '49742' REQUEST_METHOD = 'GET' SCRIPT_NAME = '' SERVER_NAME = '0.0.0.0' SERVER_PORT = '6868' SERVER_PROTOCOL = 'HTTP/1.1' SERVER_SOFTWARE = 'gunicorn/20.1.0' The HTTP_USER_AGENT and the REMOTE_ADDR are the same in all 7000 requests. The path it is attempting to access changes, and it sometimes includes POST data with usernames and passwords at an attempt to login with default IDs (like username="admin" password="123321"). This is eating through my email allotment with Amazon SES, but I don't want to turn off error notifications. The site is set up wiht Cloudflare nameservers, but as the bot is hitting the IP it seems to be bypassing the firewalls. Am I able to block an IP at the server level through railway?
9 Replies
Percy
Percy8mo ago
Project ID: c69d7554-5299-4bf1-8e33-58cd68ebc682
Lewis981
Lewis9818mo ago
c69d7554-5299-4bf1-8e33-58cd68ebc682
Brody
Brody8mo ago
Am I able to block an IP at the server level through railway?
no, railway does not provide a firewall, you would want to block the traffic at cloudflare
Adam
Adam8mo ago
Given that the request is hitting your app at the IP level, it's not going through cloudflare That's extremely odd For now, turn off your email notifications. If your app is set up securely, you shouldn't have to worry about this I'm hesitant to ping in the team here as this is just a bot attack, nothing to get them involved in. It's just odd that your IP was hit The invalid host header error is a client side error, not server side. Not sure why you're recieving emails about that
Lewis981
Lewis9818mo ago
It's Django sending me emails, usually nice to know an error happened it gives me the traceback to help catch a bug. Unfortunately it's classifying the Disallowed host message as an error, which it isn't in this case. Its just doing it's job.I' I'm also being targeted on 4/5 websites - it's straneg enough that I did a malware scan but it showed nothing. strange*
Adam
Adam8mo ago
This sort of stuff isn't targeted usually, just a bot scraping the internet trying to find vulnerabilities
Lewis981
Lewis9818mo ago
The other three sites are just classic spam bots with account signup forms and contact forms. Adding a captcha solved those. Guessing it will die down once they realize they are getting nothing accomplished?
Adam
Adam8mo ago
You got it, once the bot has gone through its script it'll move on to the next site
Lewis981
Lewis9818mo ago
Sounds good. Thanks for the help!
Want results from more Discord servers?
Add your server