When the Enterprise Shield firewall system was re-written, one of the things I worked on with Claude was the creation of an HTML dashboard that could share details on what and who was hitting the system.
One of the items I iterated through on this was a Surge Analysis, a view into hours when traffic against the firewall was completely off the charts. Well that is starting to bear fruit.
The system has been absolutely hammered today from a number of sources, but most notably slamming into the Hyperscaler ruleset which is more permissive than Azure (that’s a separate nightmare).
These hours are completely out of spec for the system since the reporting system fired up. Taking only the most recent example, the system is designed to show when and where the attacks are coming from and how this traffic relates to traffic for +/- 3h on either side.
But it is also critical to see who is slamming their head into the firewall. In this instance, the surge is completely driven by visitors hiding behind the Cloudflare Warp VPN service. Cloudflare is a part of the Hyperscaler ruleset that begins dropping traffic once a limit for connections per minute is reached.
One thing that you will notice is that there is no single Cloudflare Warp IP in the top IP list; this attack is so distributed that it would fall below the detection of individual CIDR block level monitoring.
Another surge shows a completely different source: The AbuseIPDB ruleset. This is based on the top 10K IPs available for adding to rulesets from the AbuseIPDB API.
While smaller in volume, it is very interesting to see that the firewall is able to segment this. This example also shows a mega bot server that drove all of the traffic from a single IP.
It should also be pointed out that this was caught by the AbuseIPDB rules, not the Hyperscaler rules. AbuseIPDB rules precede the Hyperscaler rules for this very purpose: Abusive IPs, regardless of the source, should be blocked.
Overall, this is a very interesting dataset to watch, observing all the attempts to scan, exploit, or attack a single home-hosted web server without a CDN. At this scale for a single server, I appreciate the work that bot mitigation and protection services do for the customers I work with daily.
Leave a Reply