Issue
We are seeing an increase in malicious traffic coming from IP ranges that identify as "Huawei Cloud".
The requests are using these 4 user agents.
Mozilla/5.0 (Linux; Android 7.0; FRD-AL00 Build/HUAWEIFRD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.49 Mobile MQQBrowser/6.2 TBS/043602 Safari/537.36 MicroMessenger/6.5.16.1120 NetType/WIFI Language/zh_CN
Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0
Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36
Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3
Blocking by IP address is unrealistic and would effectively block all requests from China.
Resolution
If you have Acquia Cloud Edge, you can use firewall rules to give a challenge to all requests coming from these IP addresses.
<?php
/**
* Created by PhpStorm.
* User: ciprianoancia
* Date: 2020-01-14
* Time: 10:46
* HOWTO: Export your zones using cfcli zone:list --organization-filter "YOUR_TARGET_ORG" --format=csv
* Copy paste the IDS of the ACTIVE and Entreprise zones into the $ids.
* Add your credentials below.
*/
putenv("CF_XAuthEmail=YOUR_EMAIL_ADDRESS");
putenv("CF_XAuthKey=YOUR_API_KEYS");
$email = getenv("CF_XAuthEmail");
$key = getenv("CF_XAuthKey");
$ids='ADD_YOUR_ZONES_HERE';
$items= explode("\n", $ids);
foreach ($items as $item) {
$cmd='curl -X POST "https://api.cloudflare.com/client/v4/zones/'. $item .'/firewall/rules" -H "X-Auth-Email: '. $email .'" -H "X-Auth-Key: '. $key .'" -H "Content-Type: application/json" --data \'[{"description": "Challenge","filter":{"expression":"(http.user_agent eq \"Mozilla/5.0 (Linux; Android 7.0; FRD-AL00 Build/HUAWEIFRD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.49 Mobile MQQBrowser/6.2 TBS/043602 Safari/537.36 MicroMessenger/6.5.16.1120 NetType/WIFI Language/zh_CN\")","paused":false,"description":"Challenge z894484."},"action":"js_challenge"}]\'' . "\n" ;
$data = shell_exec($cmd);
print_r($data);
$cmd='curl -X POST "https://api.cloudflare.com/client/v4/zones/'. $item .'/firewall/rules" -H "X-Auth-Email: '. $email .'" -H "X-Auth-Key: '. $key .'" -H "Content-Type: application/json" --data \'[{"description": "Challenge.","filter":{"expression":"(http.user_agent eq \"Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3\")","paused":false,"description":"Challenge z894484."},"action":"js_challenge"}]\'' . "\n" ;
$data = shell_exec($cmd);
print_r($data);
$cmd='curl -X POST "https://api.cloudflare.com/client/v4/zones/'. $item .'/firewall/rules" -H "X-Auth-Email: '. $email .'" -H "X-Auth-Key: '. $key .'" -H "Content-Type: application/json" --data \'[{"description": "Challenge .","filter":{"expression":"(http.user_agent eq \"Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36\")","paused":false,"description":"Challenge z894484."},"action":"js_challenge"}]\'' . "\n" ;
$data = shell_exec($cmd);
print_r($data);
$cmd='curl -X POST "https://api.cloudflare.com/client/v4/zones/'. $item .'/firewall/rules" -H "X-Auth-Email: '. $email .'" -H "X-Auth-Key: '. $key .'" -H "Content-Type: application/json" --data \'[{"description": "Challenge","filter":{"expression":"(http.user_agent eq \"Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0\")","paused":false,"description":"Challenge z894484."},"action":"js_challenge"}]\'' . "\n" ;
$data = shell_exec($cmd);
print_r($data);
}