Slow 404 bruteforce - how to address

1

I’m seeing such traffic in my reverse proxy logs:

"2025-07-22T00:52:57+02:00","20.225.136.34:62519",404,"https","nc.mydomain.tld","web-secure","-","/wordpress","nc@docker",404
"2025-07-22T00:58:21+02:00","20.225.136.34:55522",404,"https","nc.mydomain.tld","web-secure","-","/Wordpress","nc@docker",404
"2025-07-22T01:07:01+02:00","20.225.136.34:60668",404,"https","nc.mydomain.tld","web-secure","-","/WORDPRESS","nc@docker",404
"2025-07-22T01:11:24+02:00","20.225.136.34:57928",404,"https","nc.mydomain.tld","web-secure","-","/WordPress","nc@docker",404
"2025-07-22T01:19:41+02:00","20.225.136.34:58152",404,"https","nc.mydomain.tld","web-secure","-","/wp","nc@docker",404
"2025-07-22T01:22:03+02:00","20.225.136.34:61617",404,"https","nc.mydomain.tld","web-secure","-","/Wp","nc@docker",404
"2025-07-22T01:31:12+02:00","20.225.136.34:57062",404,"https","nc.mydomain.tld","web-secure","-","/WP","nc@docker",404
"2025-07-22T01:36:53+02:00","20.225.136.34:50870",404,"https","nc.mydomain.tld","web-secure","-","/old","nc@docker",404
"2025-07-22T01:41:51+02:00","20.225.136.34:60944",404,"https","nc.mydomain.tld","web-secure","-","/Old","nc@docker",404
"2025-07-22T01:44:31+02:00","20.225.136.34:63012",404,"https","nc.mydomain.tld","web-secure","-","/OLD","nc@docker",404
"2025-07-22T01:52:14+02:00","20.225.136.34:60277",404,"https","nc.mydomain.tld","web-secure","-","/oldsite","nc@docker",404
"2025-07-22T01:57:37+02:00","20.225.136.34:52875",404,"https","nc.mydomain.tld","web-secure","-","/new","nc@docker",404
"2025-07-22T02:03:37+02:00","20.225.136.34:49292",404,"https","nc.mydomain.tld","web-secure","-","/New","nc@docker",404
"2025-07-22T02:08:34+02:00","20.225.136.34:60821",404,"https","nc.mydomain.tld","web-secure","-","/NEW","nc@docker",404
"2025-07-22T02:16:07+02:00","20.225.136.34:55254",404,"https","nc.mydomain.tld","web-secure","-","/wp-old","nc@docker",404
"2025-07-22T02:20:43+02:00","20.225.136.34:51010",404,"https","nc.mydomain.tld","web-secure","-","/2022","nc@docker",404
"2025-07-22T02:30:17+02:00","20.225.136.34:50258",404,"https","nc.mydomain.tld","web-secure","-","/2023","nc@docker",404
"2025-07-22T02:34:08+02:00","20.225.136.34:49488",404,"https","nc.mydomain.tld","web-secure","-","/2024","nc@docker",404
"2025-07-22T02:39:11+02:00","20.225.136.34:61115",404,"https","nc.mydomain.tld","web-secure","-","/2017","nc@docker",404
"2025-07-22T02:43:55+02:00","20.225.136.34:59788",404,"https","nc.mydomain.tld","web-secure","-","/2020","nc@docker",404
"2025-07-22T02:50:30+02:00","20.225.136.34:59581",404,"https","nc.mydomain.tld","web-secure","-","/2019","nc@docker",404
"2025-07-22T02:54:58+02:00","20.225.136.34:51304",404,"https","nc.mydomain.tld","web-secure","-","/2018","nc@docker",404
"2025-07-22T03:04:38+02:00","20.225.136.34:59813",404,"https","nc.mydomain.tld","web-secure","-","/backup","nc@docker",404
"2025-07-22T03:13:40+02:00","20.225.136.34:55541",404,"https","nc.mydomain.tld","web-secure","-","/test","nc@docker",404
"2025-07-22T03:13:53+02:00","20.225.136.34:55006",404,"https","nc.mydomain.tld","web-secure","-","/Test","nc@docker",404
"2025-07-22T03:24:41+02:00","20.225.136.34:62108",404,"https","nc.mydomain.tld","web-secure","-","/TEST","nc@docker",404
"2025-07-22T03:31:09+02:00","20.225.136.34:57112",404,"https","nc.mydomain.tld","web-secure","-","/demo","nc@docker",404
"2025-07-22T03:34:20+02:00","20.225.136.34:49955",404,"https","nc.mydomain.tld","web-secure","-","/bc","nc@docker",404
"2025-07-22T03:40:41+02:00","20.225.136.34:51420",404,"https","nc.mydomain.tld","web-secure","-","/www","nc@docker",404
"2025-07-22T03:51:33+02:00","20.225.136.34:50759",404,"https","nc.mydomain.tld","web-secure","-","/WWW","nc@docker",404
"2025-07-22T03:54:26+02:00","20.225.136.34:56857",404,"https","nc.mydomain.tld","web-secure","-","/Www","nc@docker",404
"2025-07-22T03:59:33+02:00","20.225.136.34:65486",404,"https","nc.mydomain.tld","web-secure","-","/2021","nc@docker",404
"2025-07-22T04:08:09+02:00","20.225.136.34:53604",404,"https","nc.mydomain.tld","web-secure","-","/main","nc@docker",404
"2025-07-22T04:10:05+02:00","20.225.136.34:50981",404,"https","nc.mydomain.tld","web-secure","-","/old-site","nc@docker",404
"2025-07-22T04:16:58+02:00","20.225.136.34:49745",404,"https","nc.mydomain.tld","web-secure","-","/bk","nc@docker",404
"2025-07-22T04:25:00+02:00","20.225.136.34:58245",404,"https","nc.mydomain.tld","web-secure","-","/Backup","nc@docker",404
"2025-07-22T04:30:37+02:00","20.225.136.34:49725",404,"https","nc.mydomain.tld","web-secure","-","/BACKUP","nc@docker",404
"2025-07-22T04:34:59+02:00","20.225.136.34:61638",404,"https","nc.mydomain.tld","web-secure","-","/SHOP","nc@docker",404
"2025-07-22T04:42:57+02:00","20.225.136.34:51254",404,"https","nc.mydomain.tld","web-secure","-","/Shop","nc@docker",404
"2025-07-22T04:45:16+02:00","20.225.136.34:62350",404,"https","nc.mydomain.tld","web-secure","-","/shop","nc@docker",404
"2025-07-22T04:52:47+02:00","20.225.136.34:65209",404,"https","nc.mydomain.tld","web-secure","-","/bak","nc@docker",404
"2025-07-22T04:56:12+02:00","20.225.136.34:52474",404,"https","nc.mydomain.tld","web-secure","-","/sitio","nc@docker",404
"2025-07-22T05:02:47+02:00","20.225.136.34:59627",404,"https","nc.mydomain.tld","web-secure","-","/bac","nc@docker",404
"2025-07-22T05:05:52+02:00","20.225.136.34:57079",404,"https","nc.mydomain.tld","web-secure","-","/sito","nc@docker",404
"2025-07-22T05:13:09+02:00","20.225.136.34:54816",404,"https","nc.mydomain.tld","web-secure","-","/site","nc@docker",404
"2025-07-22T05:20:44+02:00","20.225.136.34:59056",404,"https","nc.mydomain.tld","web-secure","-","/Site","nc@docker",404
"2025-07-22T05:24:39+02:00","20.225.136.34:51451",404,"https","nc.mydomain.tld","web-secure","-","/SITE","nc@docker",404
"2025-07-22T05:28:56+02:00","20.225.136.34:50500",404,"https","nc.mydomain.tld","web-secure","-","/blog","nc@docker",404
"2025-07-22T05:35:52+02:00","20.225.136.34:58317",404,"https","nc.mydomain.tld","web-secure","-","/BLOG","nc@docker",404
"2025-07-22T05:42:12+02:00","20.225.136.34:54948",404,"https","nc.mydomain.tld","web-secure","-","/Blog","nc@docker",404

obviously a brute force scan is happening but the rate seems to be slow enough so no alerts and decisions are triggered. what is the best approach to address such “slow brute force” scans?

2

Interesting case, yet we can handle this in a slow variant of http crawl non statics for example. However, the issue arises that if you have a fast attacked it will trigger both buckets.

Upon seeing your thread I thought it might be interesting to have a helper that can compute intervals over time so you can create a conditional bucket which cannot overlap with a traditional leaky version.

You can see some examples in the PR

1 Like
3

Thank you for your answer. I’m not such deep into the product - and I fully rust your expertise - just out of curiosity - what is exactly the problem if two buckets saturate in parallel?