Constant Attacks = Blocking IP Range

Starting January 13th, 2023 I noticed one of my AWS servers CPU was maxing out for 5 minute intervals. On the hour and on every half hour. My server access log showed during those times, thousands of requests coming from an IP range. Apparently Wordfence normally takes care of these attacks, but after 3 days I’m still having these attacks. I set a block IP range (IP Range – 66.249.64.0-66.249.127.255) which in the span on a few hours blocked over 6,000 requests, as the attacks were coming from hundreds of address within that network mask. This solved my CPU issue.

Here is an example of one of the thousands of requests from the server access log: The IP’s used are all dynamic, so it’s not that easy to just block 1 or 2 IP’s.

66.249.66.195 – – [16/Jan/2023:23:21:22 +0000] “GET /?s=%E5%A8%81%E8%83%BD%E5%A8%B1%E4%B9%90%E5%9F%8E-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%8D%90AC68%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E6%96%B0%E5%8A%A0%E5%9D%A1%E5%9C%A3%E6%B7%98%E6%B2%99%E6%88%BF%E4%BB%B7-%E5%A8%81%E8%83%BD%E5%A8%B1%E4%B9%90%E5%9F%8En9ym0-%E3%80%90%E2%9C%94%EF%B8%8F%E6%8E%A8%E8%8D%90AC68%C2%B7CC%E2%9C%94%EF%B8%8F%E3%80%91-%E6%96%B0%E5%8A%A0%E5%9D%A1%E5%9C%A3%E6%B7%98%E6%B2%99%E6%88%BF%E4%BB%B7w78t-%E5%A8%81%E8%83%BD%E5%A8%B1%E4%B9%90%E5%9F%8E58kc4-%E6%96%B0%E5%8A%A0%E5%9D%A1%E5%9C%A3%E6%B7%98%E6%B2%99%E6%88%BF%E4%BB%B7cnqz HTTP/1.1” 200 12671

The problem with blocking this particular subnet mask is Googlebot uses this same subnet mask as well. So I need a way to make sure those ones are not blocked. Which I’m not sure how to do.

Googlebot IP address within the same subnet IP that should not blocked:

“66.249.64.0/27
66.249.64.128/27
66.249.64.160/27
66.249.64.192/27
66.249.64.224/27
66.249.64.32/27
66.249.64.64/27
66.249.64.96/27