Hey ther!
Our website is geting hammered by somethin. At first we thaut it was just a regulur DDoS, so we hooked up with Cloudflare and swiched the site's IP adress.
But the problum persists, and CDN dont considder it an attack. The only thing thats workin is limmiting the numbr of requests from a single IP. The support guys say its not an attack, but somethin called a low-frequincy punching of the site by a vulnerabilty scanner thats bypassin our NS.
The thing is, whare do we even start lookin for a specialist who can set up somethin to protect us from this kinda thing? Who deals with this kinda stuff if not the CDN support or hosting admins?
Thanks alot!
What you're describing sounds like a stealthy kind of attack or vulnerability probing that doesn't trigger the usual alarms from your CDN, like Cloudflare. These low-frequency scans can be tricky because they don't generate the kind of traffic spike that you'd see in a typical DDoS, but they're still causing trouble for your site.
First off, you're on the right track with limiting the number of requests from a single IP. That's a good temporary measure to prevent your server from getting overwhelmed, but it's not a long-term solution, especially if the scanner is smart enough to switch IPs or use a distributed approach.
Now, onto finding the right specialist. Since this isn't a standard attack and more of a vulnerability scan or probing issue, you're gonna need someone with expertise in a few specific areas:
Web Application Firewall (WAF) Specialist: WAFs are designed to filter and monitor HTTP requests to and from a web application. A specialist in this area can help set up more advanced rules that can detect and block unusual patterns, even if they're not outright attacks. They might work directly with Cloudflare's WAF or help you configure a different one if needed.
Security Consultant with Focus on Penetration Testing: A good penetration tester would be able to simulate the kind of probing you're experiencing and help you understand where your vulnerabilities are. They can also suggest or implement protections specifically aimed at the kind of low-frequency scans you're seeing.
Network Security Engineer: This person would have a deep understanding of how your network is configured, and could help set up more robust intrusion detection systems (IDS) or intrusion prevention systems (IPS). These tools can spot suspicious activity that might not be high-volume enough to trigger traditional DDoS protections but is still malicious.
DevOps Engineer with Security Expertise: A DevOps engineer who specializes in security could also be useful. They could automate the response to these scans, tightening security on the server side, optimizing your configurations, and deploying solutions that keep your system resilient against this kind of probing.
To find these specialists, there are a few routes you could take:
Freelance Platforms: Websites like Upwork or Toptal have a wide range of security experts. You can post a job describing your issue and look for someone who has experience with web application firewalls, penetration testing, or network security.
Security Consultancies: There are firms that specialize in cybersecurity for websites. They often have a team that can address various aspects of your problem. Look for those with good reviews and case studies that show they've dealt with similar issues.
Forums and Communities: Communities like Stack Overflow, Reddit (e.g., r/netsec), or specialized forums like Web Hosting Talk can be useful for recommendations. Sometimes, you can even find consultants who hang out in these spaces.
Referrals from Your Hosting Provider: Since your hosting provider's support team is aware of the issue but can't handle it, they might have a list of specialists or companies they recommend for deeper security work.
Once you find someone, make sure they're not just a "one-size-fits-all" kind of consultant. You need someone who'll dig into the specifics of your setup and tailor the solution to your particular vulnerabilities. Also, ask them about long-term strategies, not just patching the immediate issue. Preventative measures are always better than constantly firefighting new problems.
Is the IP fresh and not exposed? Was there anything "intresting" on it before?
There are services online that give you a complete list of IPs a domain was hosted on before, even from 3-5 years back. If the attack is intentional and manual - Cloudflare won't help much, as the attacker might know the old IPs and attack one of them after checking if the site is still up on those addresses, bypassing Cloudflare.
One option: try to block in the frontend config (or better - with a firewall) all access except from Cloudflare IP addresses. It might be useful!
You're not going to do anything.
If these requests are low-frequency and look just like regular user requests, and they come from different IP addresses, there's really nothing you can do.
Why does it even matter to you?
They're just scanning. So what? Bots hit your site every single day, has it made any difference to you?
Usually, my logs are always full of attempts to login, even with things like fail2ban in place. They keep trying with their 123456 passwords from like a million different locations...