All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
2a05:dfc1:5801:3::d Wget requests hitting my site hard!! Help needed
Hi, I was on holiday for sometime and found out my site got hit from this particular ip
2a05:dfc1:5801:3::d
from June 6th onward.
Since my site is behind Cloudflare I just put that ip in block list and it stopped the inflated traffic. The CF stats shows the following:
the ip sent 578.76K requests in 24 hours to my site's various pages.
request to html pages were cached by CF and served, but other files like json, or dynamic files were bypass by CF and hit my origin causing site to slow down as it hit CPU limits.
From the above screenshots, it was Wget request by method HEAD. not even GET requests.
Can anyone shed light on this? there is no User-agent associated with it. IP belongs to DataForest in Germany.
As of today the site is working back to normal as I've blocked the ip range.
Comments
Do you have crowdsec enable?
On my case, I've been receiving a lot of HEAD requests from OVH and Hetzner IPs (Sometimes from Huawei Cloud), so I now block all HEAD requests and it's gone now.
Contact the abuse email about it, I looked it up one says it's dataforest and another said it was [email protected] (Portugal)
Wordpress?
WNDP - WebNegócio Lda? Did @jar acquire that along with MyW?
you are lucky the AI bots have not started hitting your site yet.
The ipv6 belongs in Portugal, not Germany but still uses the same ASN (AS58212). I usually have CloudFlare to block all hosting/VPN/proxy servers from reaching my main server
yes
dataforest only has Germany
yeah.. I checked it:
https://bgp.he.net/ip/2a05:dfc1:5801:3::d#_whois
@jar if that IP belongs to myw.pt.. I was myw's customer. but moved my site to another host in Feb. Why would i get W/get requests from that ip (if probably belongs to MyW/WNDP WebNegócio Lda.) now?
Do you still have the WP files in Jar's myw account? If yes, login to DA and rename the plugins folder to _plugins or something.
block all wget,curl,python, and empty useragents with cloudflare(or redirect to static page like honeypot)
some php script running on myw?
I can think of a wealth of reasons. Especially if you had something running on the server against the domain and its DNS changed. Doing a wget against one’s own site to trigger wp-cron is quite common. Any chance you were doing that? Any chance it’s still running?
thanks Jar for replying and hinting. well, indeed i logged into MyW DA panel, and there are 4 Wget cron jobs running pointing to my same url that was hosted with MyW earlier. I've disabled those cron jobs, removed the IPv6 from CF firewall, and now lets see if it still sends wget requests. I hope this will resolve issue.
So what were those cron jobs supposed to do and why did they end up sending 578.76K requests in 24 hours?
24000 rsync backups an hour, obviously
I warned you all that this IPv6 stuff was dangerous...
So you were the culprit.
Wait till you deploy IPv9.
I had Google Veo 3 hallucinate on what that might look like:
https://files.catbox.moe/l2hrpg.mp4
The calls come from inside the house!
By moved, do you just mean copy and didn't remove from myw?
Edit: answered already.