Question Google Cloud Abuse from their entire IP space and Fail2ban Unable block it

[nisamudeen97]

Server operating system version

Ubuntu 22

Plesk version and microupdate number

Plesk Obsidian 18.0.72 Update #3

For the past few days we are experiencing ddos like activity from Google Cloud (34.174.x.x) , (34.128.0.0/10). We've reported 100s of IPs to them, but no action. This is across thousands of sites we host in different plesk servers. Anyone else seeing this same behavior?
They are visitting different pages on the websites and those and successful visits with 200 code. It look like some kind of scrapping, I have already added the entire IP class to fail2ban blacklist, however I could still see access from those Ip addresses.

Is there any effective solution for this. Kindly note that all our websites are behind Cloud Flare proxy.

 

[Raul A.]

We also observed high traffic volumes from that huge subnet. The simplest approach is to block it since you don't expect traffic from a different hosting company.

In your case, firewall blocking won't help since your firewall will see only Cloudflare IP addresses. You can block in nginx but it has to be in each server block. You can include a conf file in Additional Nginx directives or write an extension that adds the desired Nginx rules or include statement.

Another approach is to deploy Anubis/BotStopper which will present all visitors with a generic User-Agent with a verification page. Once the verification is passed, future requests presenting a specific cookie will bypass the verification page.