Good afternoon. At 11:57:26 (9:57:26 GMT), there was a log entry which said this company was scanning our VPS. This made it unresponsive with extremely high load for us until I had restarted the HTTPD service. The traffic was also coming from a lot of different IP addresses all by Microsoft. Is this normal?
184.108.40.206 - - [14/Jun/2022:11:57:26 +0200] "GET / HTTP/1.1" 200 275 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: firstname.lastname@example.org"
Hey yes that is totally normal, as soon as you put any public IP online you will get scanned by different scanner not just Palo Alto. I would suggest you to secure your external facing ip by adding strict security profile group to block or reset it at firewall.
To prevent it further you can add deny rule on top with EDL You can also add your custom EDL with this to add one off IP.
Palo Alto Networks - Known malicious IP addresses
Palo Alto Networks - Bulletproof IP addresses
Palo Alto Networks - High risk IP addresses
Thank you for your response. Unfortunately, I'm not sure if I can do that, because we're not part of the Palo Alto's network. That's the thing. We're renting our VPS-es at a webhosting company called TransIP, and we manage the servers ourselves. I'll probably have to ask with them in that case, but I'd still like to know if there is a way to prevent situations like these, where I'm running up to a forum for a company I've never heard of until now, and asking help for this topic. Is there any way to prevent this situation in the future?
How do you know that PaloAlto made your website unresponsive? You have a single log of a request of your index page, something hundreds or thousands of other bots are doing every day, and the PaloAlto bot is explicitly telling you who/what it is in the client header. It is part of PaloAlto's website categorization for threats/malware prevention and typically happens about once a day from one of a handful of PaloAlto IP blocks. It is annoying, but nothing about the request should slow down your website.
I would be looking at those hundreds of other requests and what they were access/trying to PUT.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!