屏蔽来自Cloudflare的warp攻击

这段时间Nodeloc打开一直卡卡的，因为比较忙，一直没时间看。

这几天打算迁移一下服务器，迁移过程中发现，凌晨居然也异常的卡顿，于是查看了一下日志。

发现大量来自 cloudflare 的异常请求。

</s><i> </i>2024/04/16 01:57:38 [warn] 59#0: *806 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001083, client: 172.64.236.45, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:38 [warn] 59#0: *802 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001084, client: 172.64.236.45, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:39 [warn] 59#0: *1234 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001085, client: 172.64.236.44, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:39 [warn] 59#0: *1235 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001086, client: 172.64.236.90, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:40 [warn] 59#0: *599 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001087, client: 172.64.236.126, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:40 [warn] 59#0: *997 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001088, client: 172.64.236.126, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:41 [warn] 62#0: *447 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001089, client: 172.64.236.90, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:41 [warn] 59#0: *1242 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001090, client: 172.64.236.90, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:41 [warn] 59#0: *723 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001091, client: 172.64.236.158, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/" 2024/04/16 01:57:41 [warn] 59#0: *480 a client request body is buffered to a temporary file /usr/local/nginx/client_body_temp/0000001092, client: 172.64.236.45, server: www.nodeloc.com, request: "POST / HTTP/1.1", host: "www.nodeloc.com", referrer: "https://www.nodeloc.com/"<i> </i><e>

好的。

设置截图吗？

@“[未知用户]”#p22962

@“[未知用户]”#p22967 好方法

收到

CF还是不错的，就是IP被玩烂了

CF大善人

CF确实是善人

cf真不错，要是能搞学生优惠就好了

@“[未知用户]”#p23134 跳过优惠，直接让他们搞免费不是更好:huaji08:

我就说怎么被block了。还好会绕过防火墙登录。老詹看我的IP，就是你屏蔽的AS13335。

特征这么明显。POST攻击,这是10年前的攻击了。你什么时候看见**flarum**正常需求需要对根目录/进行**POST**了。:huaji08:

我从HTTP/2 缺陷的 **Rapid Reset**放大攻击摸索到**CVE-2023-44487**。没想到老詹还在防御**http1.1**的**POST**攻击。

172.64.236.0/24根据CF官方分配规律明显是同一个城市的，老詹没主动防御系统吗，直接定时收集攻击日志，通过api上传云端拉黑啊。还是手动看日志发现攻击的效率多低啊。

>!

另外，我大概知道上次小学生怎么把论坛后端打断的，除了宽带流量被打满外，如果cpu，内存打不满，还可以想办法把PPS/connect打满，造成后端崩溃。有技术还可以利用协议缺陷造成放大攻击。加绕过匹配限制把后端打满。这个POST攻击,只能算小学生水平

另外

@"小学生"[#p9793](https://www.nodeloc.com/d/1239/7) CF逻辑有问题，那个速率限制就是给脚本小子看的，专业压测单点一样突破，我就用了一个1C1G的机器。

我现在知道逻辑缺陷在哪里了。:huaji09:

@“[未知用户]”#p23175 :huaji09: 直接绕过了 cf 的 waf 么？

我其实很久没看日志了，因为这攻击一直没啥影响，然后切服务器的时候发现的哈哈。

大佬这是修炼成功晋级现在出关了么。

@“[未知用户]”#p23177

不不不。盛世闭关，乱世才出关。:huaji03:

@“[未知用户]”#p23177 >!防火墙是设置的逻辑混乱，没考虑一些特殊情况，才能找到绕过方法的。并不是我牛皮:huaji08:!<

@“[未知用户]”#p23154 付费的可以直接让学生免费不好吗