K980
October 5, 2020, 5:15pm
1
My domain is: https://www.rama.com/cs-cz/cz
My web server is (include version): Azure App Service
The operating system my web server runs on is (include version): Azure App Service
My hosting provider, if applicable, is: Azure
We are receiving tens of thousands of 404s on the following URL, but we do not use LetsEncypt for any of our SSLs currently on the site (the site management was recently inherited)
/cs-cz/cz.well-known/acme-challenge/ibjbdRKWfovPq_63Mnu2RSE5UbTaTemn7th9rV7C3cg
Any ideas where this is coming from and how to stop it?
Regards,
K.
2 Likes
Welcome to the Let's Encrypt Community
Someone (not necessarily anyone you know) is attempting to obtain certificates from an ACME-compliant CA that include your domain name(s). There are multiple ACME-compliant CAs, so there's no guarantee it's Let's Encrypt from what you've mentioned, but very well could be. The certificate-seekers could have a crontab or other scheduling mechanism that is attempting to renew certificates that include your domain name(s). We will try to help you out.
@lestaff
Executive Summary
The entire certificate history for rama.com at crt.sh only includes cPanel and Sectigo certificates.
"tens of thousands of 404s"
It looks like the path is malformed due to a missing /
in /cs-cz/cz.well-known/acme-challenge/
Possibly attempting to certify a URI?
They recently inherited management of the site.
I pinged you because I am concerned about this sideways "DOS attack". Any way of sourcing this?
Pertinent?
2 Likes
K980
October 5, 2020, 6:11pm
3
Thanks for the fast response. Per sourcing, do you mean which IP it is coming from? Or is this meant for the lestaff?
2 Likes
Yes, among other things.
It is, but you're certainly welcome to volunteer any information you can.
If you happen to have any certbot logs that correspond, that would be immensely helpful.
1 Like
K980
October 5, 2020, 6:22pm
5
Here is some of the useragent data we received:
************************************************************ UserAgent Go-http-client/1.1 CsUriStem /cs-cz/cz.well-known/acme-challenge/ibjbdRKWfovPq_63Mnu2RSE5UbTaTemn7th9rV7C3cg CIp 152.195.139.54 CsHost www.rama.com Aggregatedvalue 99208 ************************************************************ ************************************************************ UserAgent Go-http-client/1.1 CsUriStem /cs-cz/cz.well-known/acme-challenge/wjmoPY3llQIdX0NKVHqAyyWP6PlCdKy-f6vrIKbY7vs CIp 152.195.138.242 CsHost www.rama.com Aggregatedvalue 99191 ************************************************************ ************************************************************ UserAgent Go-http-client/1.1 CsUriStem /cs-cz/cz.well-known/acme-challenge/ac6sqUGEHc-X5iHtaG-5w5PrQp-Ho4k9d4rRUyrfpug CIp 152.195.139.18 CsHost www.rama.com Aggregatedvalue 99191 ************************************************************ ************************************************************ UserAgent Go-http-client/1.1 CsUriStem /sk-sk/sk.well-known/acme-challenge/a44A2mYO-fYA28_SDryengZpQ_klNn2XsBCZ6xYV7vE CIp 152.195.138.214 CsHost www.rama.com Aggregatedvalue 99145 ************************************************************ ************************************************************ UserAgent Go-http-client/1.1 CsUriStem /sk-sk/sk.well-known/acme-challenge/WXd1rcX67SFUN_ZDCb2qozuDuujOv5Z34U9fGxSa19o CIp 152.195.139.67 CsHost www.rama.com Aggregatedvalue 99139 ************************************************************ ************************************************************ UserAgent Go-http-client/1.1 CsUriStem /sk-sk/sk.well-known/acme-challenge/bxSyT9QE3ifeswcV2eJGoH9DpcBh1KHY8TRYDqvbDQc CIp 152.195.138.247 CsHost www.rama.com Aggregatedvalue 99116 ************************************************************
2 Likes
K980
October 5, 2020, 6:29pm
7
Thanks for the help. This is an example of why the LetsEncrypt community has such a great reputation
3 Likes
Thank you for the kind compliment. We try our best.
The staff can be quite busy, so I thank you for your patience on their behalf.
2 Likes
K980
October 5, 2020, 6:35pm
9
No worries! Any progress we can get on this is appreciated.
2 Likes
I have to run for a bit, but I will stay on top of this topic and check back later.
1 Like
K980
October 5, 2020, 6:52pm
11
Thanks. I am encouraging a WAF (Web Application Firewall) to be put in place as well if we can't get to the source of this.
2 Likes
I can confirm this traffic is not from Let's Encrypt.
4 Likes
K980
October 5, 2020, 8:04pm
13
Thank you so much, we will take this up with a WAF/security measures
2 Likes
K980
October 5, 2020, 8:43pm
15
Thanks everyone. Feel free to close this ticket.
2 Likes
system
Closed
November 4, 2020, 8:46pm
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.