Attack on samsclass.info in Oct 2025

Symptoms

For about two weeks, I noticed that my site returned frequent "500 - Internal Server Error" messages.

Simply refreshing the page resolved the problem, but it seemed to grdually get worse, often requiring three or four refreshes.

Attack Traffic

I examined the server access logs, and found a lot of malformed requests, as shown below, with long URLS including many folder names in a random sequence.

Cloudflare's "Under Attack" Mode

My site is protected by Cloudflare's free plan, which offers only one defense, called "Under Attack". This mode presents each visitor with a CAPTCHA challenge, allowing visitors who are humans using a browser, but blocking all automated script-based requests.

This blocked more than 90% of the attack traffic, as shown below, making my site responsive again.

As shown in the image above, some of the attack traffic was still getting through.

The Wget Problem

If my site were only used as a regular Web page, this would have been fine. But many of the projects for my students require then to load content from my page with "wget", which Cloudflare's "Under Attack" mode blocked.

Since the attack traffic has a simple, obvious pattern (many folder names), I decided to try blocking it with a simple HAproxy scrubber.

Using a Scrubber

I rented a Debian cloud server, installed HAproxy, and configured it to block all requests with six or more / characters in the URL. I wrote up the procedure as a project here.

I changed my DNS record in Cloudflare to point to my scrubber, as shown below, and I turned off Cloudflare's "Under Attack" mode.

The scrubber is almost as effective at blocking attack packets, and allows "wget" requests, so this solution seems to be good for now.

Question: Why?

One outstanding question is what the purpose of this attack is. I don't think it was a serious attempt to bring my site down, because it never rendered it totally unavailable.

It seems more like some sort of scraper or crawler, perhaps gathering data for AI training, which is absurdly broken, concatenating folder names at random. But who would write such a thing, and just leave it going for weeks without noticing how broken it is?

I examined the source IP addresses and there were many source IPs, some from China, some from other countries, as if it's being sent from some large set of proxies.

If this is a widespread attack, perhaps others will figure out more about it. It seems pointless to me.

Posted 11-2-25