Multiple blocks – same IP, same timestamp

  • Resolved Sunfire

    (@chillsunfire)


    9 months, 2 weeks ago

    As of late I have noticed there’s been a significant increase in the blocks that Wordfence creates. This is not surprising as the client has been targeted before and I have adjusted the rate limiting to BLOCK with have fairly restrictive limits.

    What IS surprising to me is that the exact same IP is showing as a separate block with the exact same time stamp. As sample of the log follows…


    Block Type	Detail	        Rule Added	        Reason	       Expiration	Block Count	Last Attempt
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	1	April 29, 2025 7:10 am
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	0	Never
    IP Block	91.108.241.124	April 29, 2025 7:10 am	Exceeded the maximum number of page requests per minute for humans.	May 4, 2025 7:10 am	4	April 29, 2025 7:10 am

    How is it possible that the exact same IP is being blocked MULTIPLE TIMES at the exact same timestamp?

    And is there anything I can do (whether in the website or at the hosting level) to curb such behavior? It’s happening on a near-hourly basis and bogging down the server with excessive requests such that the site times out for legitimate users.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    9 months, 2 weeks ago

    Hi @chillsunfire, thanks for reaching out.

    What Rate Limiting settings do you have for “If anyone’s requests exceed“, “If a human’s page views exceed“, and “If a human’s pages not found (404s) exceed“? I’m assuming from the block length shown it’s implementing a 5 day block when one of the rules is broken.

    Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit your website altogether, but rather deal with the visits appropriately based on your settings and their behavior. Usually high volume hits such as this are done with no prior knowledge of the platform or plugins you’re running. If the hits are causing high CPU/bandwidth use even when rate limiting is active, your host may be able to help by adjusting the server firewall – or you can implement blocks for troublesome IPs in .htaccess, or a CDN like Cloudflare (if present) to stop them reaching the site. In a case such as that, Wordfence won’t see the IP as they’ll have been stopped before PHP loads.

    Thanks,
    Peter.

    Thread Starter Sunfire

    (@chillsunfire)

    9 months, 2 weeks ago

    As I mentioned, yes, my Rate Limiting rules are a bit strict. To answer your specifics, they are set to 240, 120, and 60, respectively. And yes, I implemented a 5 day block.

    I do understand that Wordfence is only dealing with the traffic that actually makes it to our website. We are using Cloudflare and have hardened our server to only accept traffic coming from CF IPs.

    What I’m asking is, how can the same IP have a dozen different blocks at the same timestamp? Why not just have a single block with a high incidence count?

    Plugin Support wfpeter

    (@wfpeter)

    9 months, 2 weeks ago

    Thanks @chillsunfire for that information. I just wanted to check they weren’t excessively strict settings before making a call on what’s happening.

    It certainly appears that a large number of requests were being processed at the same time. It’s pretty unusual to have that many, which may just mean your hosting company is less restrictive than others when it comes to allowing simultaneous requests to be processed from the same IP.

    As several block records were created less than a second apart, the first one started to trigger actual blocks and counted them. However as these take small amounts of processing time to complete, the 4 subsequent blocks appear to have taken place after some other uncounted requests, as it took a fraction longer to return a count. Bear in mind this all happened within the same second though.

    You could check the access logs to confirm that IP address was hitting the site repeatedly at the same time. If any IP addresses that have done this previously are similar, you could block a range of IPs manually. Using the WHOIS Lookup from Live Traffic is a good way to quickly find the range. Duplicate blocks can be unblocked manually or just left to expire.

    We can’t prevent duplicates like this without adding some form of locking, which could make the web server hang during periods of high traffic as the processes would be waiting for the lock to release instead of processing in parallel as they do currently.

    Many thanks,
    Peter.

    Thread Starter Sunfire

    (@chillsunfire)

    9 months, 2 weeks ago

    Thanks for the follow-up Peter. I looked at the logs again today – at one point the same IP had 30 different blocks listed in Wordfence with the same timestamp.

    Since we have it so all the traffic should be going through CF, I went back there to check settings and verify things like rate limiting and Bot mitigation were in place and functioning. They are configured as I would expect, so I may just need to dig deeper and refine it.

    It’s helpful to know that these multiple blocks are functioning as intended (slight delay) and not broken. Thanks.

    And yes, for now I am just letting the duplicate entries expire and, adding a Permanent block on the entry that has recorded multiple hits, especially if they continued to hit more than 48 hours later (hence the 5 day lockout). Although these permanent blocks on specific IPs doesn’t seem to matter as the bots or attackers are rotating IPs regularly… it’s still helpful in my monitoring process.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Multiple blocks – same IP, same timestamp’ is closed to new replies.