I know this has been discussed thoroughly but I've taken the IP-ban approach and it's helping.
In my case, the server is running nginx but could be adapted to other sites with minor adjustments...
Now, I can go through the rest of the IP ranges using, and see how widespread the issue is by trying to figure out how often they're hammering us.
In my case, the server is running nginx but could be adapted to other sites with minor adjustments...
Code:
sudo cat /var/log/nginx/access.log |grep faq |grep " 200 " |awk '{print $1}'|sort|uniq- Look for requests to our "frequently asked questions" page "faq"
- Look for successful page hits (filter out requests we've already filtered)
- Get the first field in the log, which is the IP address
- Sort the IP addresses and only return unique values
- This returns 2,300 unique IPs since midnight of last night 963 of which are part of the 47.x.x.x range. This is why blocking ALL of Alibaba cloud IPs is essential to monitor this problem more closely. Fortunately, Alibaba must register these under its ASN, which can be found here: https://asn.ipinfo.app/list/AS45899. IPInfo kindly offers an nginx blacklist file, which is what was committed to the nginx conf file
Now, I can go through the rest of the IP ranges using
Code:
https://ipinfo.io/<offending_ip>Statistics: Posted by tresf — Wed May 28, 2025 5:45 pm