kreynen, 3 months ago

@mikemccaffrey this probably won't help in your use case, but Pantheon customers paying for their Advanced Global CDN (partially unlocked Fastly access) can block the source of "malicious" requesters at that level. In addition to the traffic limit changes, there are also changes coming to the AGCDN pricing. Hopefully those changes will made it more affordable for smaller organizations.

mikemccaffrey, 3 months ago

@kreynen Is there an interface for managing that?

kreynen, 3 months ago

@mikemccaffrey yes, but not all configurations/VCL options can be done as self-service... and similar to my motivation for writing https://www.drupal.org/project/pantheon_autopilot_toolbar, you can't actually navigate to https://agcdn.ps-pantheon.com/ through the Pantheon's UI. The Edge Cache icon in the left hand navigation of the Pantheon Dashboard links to a page promoting the AGCDN and telling you to contact your sales person... even if you are paying for it.

jurgenhaas, 3 months ago

@mikemccaffrey
There is @CrowdSec to solve this problem. And the #drupal integration at https://www.drupal.org/project/crowdsec allows you to use their shield and also automatically ban any IP for a configurable period of time, if they're crawling your site that way. E.g. after 3 consecutive 404s, banned.

#drupal #pantheon

mikemccaffrey, 3 months ago

@jurgenhaas @CrowdSec Interesting. I wonder if returning a 403 error would be any more effective than the 404 errors it is already ignoring.

jurgenhaas, 3 months ago

@mikemccaffrey @CrowdSec
Actually, it takes all 4xx request responses into account.

froboy, 3 months ago

@mikemccaffrey can you block the user agent? Also, related, #Pantheon made some big announcements related to overages today: https://pantheon.io/blog/enhanced-pantheon-overage-policy-traffic-limits-and-pricing

mikemccaffrey, 3 months ago

@froboy Define "block". I can tell the crawler is this idiot because it has been crawling the same non-existent .html addresses for over five years now, but all I can do it return errors at it which it ignores.

Archnemysis, 3 months ago

@mikemccaffrey @froboy You would need to do the block at the CDN layer before it ever gets to pantheon to avoid the traffic hitting pantheon. Cloudflare has decent bot management tools you can use beyond just blocking a specific IP. My guess is it would easily identify this crawler and every script kiddie trying to reach wp-login.

Archnemysis, 3 months ago

@mikemccaffrey @froboy The pro plan @ $25/month would likely be sufficient: https://www.cloudflare.com/learning/bots/what-is-bot-management/ but if the customer is on performance medium at Pantheon facing a performance large, the Cloudflare business plan @ $250/month would still be more cost effective.