WAF managed challenge bypassed?

Hello, We have managed challenge enabled for all requests to a sub-domain however it seems like it is being bypassed. Looking at the solve rate confuses me however as it says they are not solving the challenge but they are still able to down the domain.
No description
49 Replies
Frerduro
Frerduro2mo ago
So then how are they doing it? The entire sub domain is behind the managed challenge and there are no requests not coming from cloudflare plus firewall only allows CF ips
Frerduro
Frerduro2mo ago
No description
Frerduro
Frerduro2mo ago
its not anything fancy just match hostname
Frerduro
Frerduro2mo ago
wait so is this how they are bypassing it?
No description
Frerduro
Frerduro2mo ago
sigh... ok how do I catch that bs?
Frerduro
Frerduro2mo ago
No description
Frerduro
Frerduro2mo ago
so this? Is there anything else you would do?
Frerduro
Frerduro2mo ago
No description
Frerduro
Frerduro2mo ago
my headers are weird
Frerduro
Frerduro2mo ago
No description
Frerduro
Frerduro2mo ago
There are just so many though How do I even do that. I have also been wanting to setup rate limiting but I keep false positive people when I try
antargame
antargame2mo ago
sloth is the best fr this is next level support
Frerduro
Frerduro2mo ago
It didn't do it They are still not being given the challenge Sloth never woke up it seems 😦
antargame
antargame2mo ago
Lol
Dmitry
Dmitry2mo ago
What seems to be the purpose of the attack? Are they trying to login or something (to your panel) or is just traffic meant to overwhelm your servers/site? just curious 🙂 You said you got false positives with the Rate Limiting rule? How so? And they're still sending traffic, even though you have the managed challenge on the Panel?
Frerduro
Frerduro2mo ago
https://pterodactyl.io/ overwhelm the server
Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
Frerduro
Frerduro2mo ago
I just kept getting ourselves triggered as each server on ptero does multiple api calls to check cpu,ram,network usage constantly yes but they aren't "solving" the managed challenge it seems like the random ports they do don't get blocked and still get forwarded to the server even though those ports aren't even open
Dmitry
Dmitry2mo ago
You can configure a WAF rule to skip the Rate Limit if it matches your server (IP, User Agent, etc) btw 🙂
No description
Frerduro
Frerduro2mo ago
I am talking about my personal ip getting blocked and my ip is dynamic
Dmitry
Dmitry2mo ago
Can't you whitelist your IP's ASN (ISP Provider)? Add it to the Skip Rate Limit Rule 🙂
Frerduro
Frerduro2mo ago
I could yes but I would have to do that for every person who uses the panel.
Dmitry
Dmitry2mo ago
I mean wouldn't that be worth it? 😄 oh you mean your customers well... the rate limit should be configured so that enough requests can get through for legit requests you wouldn't want it to be like 10 requests per 10 second obviously I'd prob set it to like idk.. 250/10 seconds or something obv people spamming your site would hit that easily But it sounds like you don't have something configured correctly if you still have requests coming in (with different ports) the domain rule should be working on panel.playavalon.net if you have that
Frerduro
Frerduro2mo ago
I don't understand it. the ports are closed only 80&443 are open
Dmitry
Dmitry2mo ago
The ports don't have to be open It's just telling you that they're sending requests to those ports doesn't mean they're open
Dmitry
Dmitry2mo ago
Is this image from your WAF page?
No description
Dmitry
Dmitry2mo ago
this is just showing you a list of hosts.. why do you think they went through?
Frerduro
Frerduro2mo ago
No description
Frerduro
Frerduro2mo ago
If I sort by status code 200 they still show up
Dmitry
Dmitry2mo ago
If you go to your WAF event log.. are there requests that are getting blocked/challenged.. or are they all 200's ?
Frerduro
Frerduro2mo ago
some get blocked some are allowed
Dmitry
Dmitry2mo ago
What's the CSR?
Frerduro
Frerduro2mo ago
No description
Dmitry
Dmitry2mo ago
No description
Frerduro
Frerduro2mo ago
There have been WAAAY more than 16mil requests
Dmitry
Dmitry2mo ago
Ok instead of Managed Challenge.. change the action to an "Interactive Challenge" maybe they're getting around the managed challenge (js) somehow that will show them a captcha
Frerduro
Frerduro2mo ago
I already tried that
Dmitry
Dmitry2mo ago
Hmm ok. How many ips/user agents are there? Alot of different ones i'm assuming?
Frerduro
Frerduro2mo ago
No description
Frerduro
Frerduro2mo ago
idek how to show more than 15 without constantly excluding
Dmitry
Dmitry2mo ago
So I would prob rely on the rate limiting rule.. since they may be bypassing the captcha somehow? Try setting the rate limit to 500/10 seconds and then do block for an hour that's prob your best bet they'll give up after awhile it won't be worth it if all their ips are rate limited for an hour there's no way someone doing legit requests on the frontend website is doing 500 requests per 10 seconds I would love to see the logs for the requests that are 200 tho if you can figure out how to get that somehow like the full request headers I ship all my request logs to Axiom personally.. so I can search/log every request you can prob log requests on your origin server, no?
Frerduro
Frerduro2mo ago
I have nginx logs
Dmitry
Dmitry2mo ago
Ah yeah check those.. are they sending some sort of Cloudflare cookie.. that would authorize them (past the captcha)? the cookie would prob the same on all requests (I think?)
Dmitry
Dmitry2mo ago
cf_clearance cookie maybe?
No description
Frerduro
Frerduro2mo ago
access log doesn't have that
Dmitry
Dmitry2mo ago
Hmm? uhhhh.. they should can you share a full output of the headers if you don't mind?
Frerduro
Frerduro2mo ago
Can I dm you the log file?
Dmitry
Dmitry2mo ago
Yeah sure sec Go ahead 🙂
Frerduro
Frerduro2mo ago
upload speed sucks gonna take a sec
Rowin
Rowin4w ago
Ouch this is good to know Cloudflare should probably document that and/or add a host without the port field