increased attack rate

  • Resolved lordsnake

    (@lordsnake)


    2 years, 5 months ago

    I will get emails like this, can you please explain the relevance of the USER IP that is mentioned at the bottom?

    If I check the WF firewall, Top IPs Blocked, this IP (92.204.221.135) is not mentioned, do it doesn;t actually seem to have done anything according to the logs.

    Increased Attack Rate: The Wordfence Web Application Firewall has blocked 101 attacks over the last 10 minutes. Below is a sample of these recent attacks: September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:38pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents September 25, 2022 1:37pm - 20.171.10.188 (United States) - Blocked for Known malicious User-Agents

User IP: 92.204.221.135
User hostname: 135.221.204.92.host.secureserver.net
User location: Strasbourg, France
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @lordsnake, thanks for your message.

    The User IP will be the address that the increased activity or attack is detected as coming from by Wordfence. The increased activity may still not be enough to enter the IP into the Top IPs blocked list as there may be worse offenders.

    To track all activity, your best option is to visit the Live Traffic page, which can be filtered by IP amongst other values. You can enter the IP from your email there to narrow down the results, then clicking on the entries will expand them out and give you the reason why Wordfence blocked them. Rather than breaking your Brute Force/Rate Limiting rules, it appears from the message you received that a known malicious User-Agent value was used in this case.

    Thanks,

    Peter.

    Thread Starter lordsnake

    (@lordsnake)

    there are literally IP’s that have made only 1 attempt showing in the “top IP’s blocked”, but the one the suppsoedly caused the increased attack rate is nowhere to be seen.

    At the top of the list is an IP that had made 898 attacks, yet this one I don;t get warned about?

    Plugin Support wfpeter

    (@wfpeter)

    Hi @lordsnake,

    I think after looking into it a little more this is actually a problem with the alert template in Wordfence Central. When sent directly by the plugin, there is no User IP, hostname, or location.

    So the IP 20.171.10.188 is the actual one the alert you received is about. The User IP in that case should be your server’s IP I believe, although without knowing your server IP take that as an assumption. I have passed this on to the development team to rectify in the formatting of the emails to make it clearer which IP was related to the alert in a near-future release.

    Thanks,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘increased attack rate’ is closed to new replies.