The URL’s are random but when they do hit the site it is to example.com. The visited URL is often random, nonsense sites.
The originating host names and IPs are random. The originating locations are random. The Browser UAs are random. Anything that can be used to block them at the firewall or block them using WF is random.
Bishkek, Kyrgyzstan visited https://172.98.77.186/
5/29/2019 2:04:32 PM (10 minutes ago)
IP: 193.106.49.83 Hostname: Pool-5-193.106.49.83.o.kg
Browser: Chrome version 0.0 running on WinVista
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Lima, Peru visited https://www.incorporatedcrmclothesbikini.net/
5/29/2019 2:02:43 PM (15 minutes ago)
IP: 179.6.196.229 Hostname: 179.6.196.229
Kyiv, Ukraine visited https://172.98.77.186/
5/29/2019 2:01:56 PM (16 minutes ago)
IP: 93.73.76.181 Hostname: complimenting-blossom.volia.net
Browser: Chrome version 56.0 running on MacOSX
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Some (but not many) of them i was able to block using the UA like this one:
Syria was blocked for UA/Referrer/IP Range not allowed at https://172.98.77.186/
5/29/2019 1:59:53 PM (21 minutes ago)
IP: 5.0.180.138 Hostname: 5.0.180.138
Human/Bot: Bot
Browser: undefined
Go-http-client/1.1
The above was blocked using WF custom pattern “Go-http-client/1.1”
How can i determine the true originating IPs? I’m sure WF would love to add them to their block list.
RN I have the site throttling the visits per minute using WF. Therefore the site is usable but using unnecessary resources, of course.
Any help tracking, or finding and blocking these idiots would be appreciated.
