DDos prevention tips.
I am pretty new to cloudflare and would appreciate tips on how to effectively deal with ddosing. My domains and subdomains are all proxied through cloudflare. It seems like even when i am using Under Attack Mode my website still suffers heavily from ddosing. Any advice would be helpful and i would be glad to give and relevant information on my deployment. Thanks in advanced.
40 Replies
Considering the amount of ddosing I am dealing with. Would it make sense to upgrade to pro for ddos protection?
If your site is being attacked and you've enabled Under Attack Mode, and you're still experiencing your origin going down, you might not be secured with Cloudflare.
Make sure your DNS records are set to "Proxied", create Rate Limiting rules (https://dash.cloudflare.com/?to=/:account/:zone/security/waf/rate-limiting-rules) and make sure Bot Fight mode is enabled (https://dash.cloudflare.com/?to=/:account/:zone/security/bots/configure)
Check your server logs. If you are seeing attacks from any IP that's not on Cloudflare's IP list, then your origin IP is exposed. https://cloudflare.com/ips
I promise you that it is being proxied
My attackers got the origin IP of my server before I put up a firewall only allowing inbound requests from my home network and Cloudflare's listed IP addresses
so i changed the origin IP AND put up a firewall preventing any access from random IP addresses
Basically, I already am proxied and have a firewall preventing ip access from non cloudflare IPs
And Bot Fight mode is on
All this is before asking this question ^^^
I did take your suggesstion and just now enabled a ratelimit
i will see how that does
If you're on a Pro or higher plan level, you can open an Under Attack ticket and @ me with the ticket number.
Apart from that, I can check on the traffic for the domain but I absolutely cannot divulge any specifics except for recommending generic mitigation.
Alright thanks . I was thinking of getting a pro plan anyways
Ill let you know if enabling ratelimit will stop them. If it doesnt ill buy pro and make a ticket.
will read and implement.
In their first attacks despite spamming nearly a billion requests they seemed to have not been effective
because of under attack mode
thats the problem
yeah
you are right
and i would get access to official support tailored to my needs
but they changed up their attack
still visualization would be helpful
yes
I did country blocking since thats the main thing i can see
yes give me a second
wait maybe i should block ipv6
yup
the user agents!
theres a lot with those user agents
the random characters
look at the ips
now the thing is i have ratelimiting on my django project
also
what action is best?
alright, thanks man
now we wait
and see
You know i swear i recognize ur profile somewhere lol
You are also in the aws discord right?
i dont think its official lol
So it seems like this and the ratelimit @cfbrandon suggested are working pretty well
its because the attacker wasnt even attempting to make realistic user agents
they will probably realize its not working and switch it up
but until then its working pretty well
@Loski unfortunately im still being ddosed pretty heavily
@Brandon | Support Engineer
ok
looks like they were targetting an api
so i added it to the waf ratelimit
big whoopsie on that one
the ratelimit is whats best tho
thats been saving me the most
@Sloth hey whats up, i was getting ddosed again and remembered you gave me good advice to help mitigate it
i was wondering if you could give me some more advice now because who ever was doing it came back and became smarter
yessir
i am not but I am willing to upgrade probably
here look
\an example
they ddos all on the query string ?id=1
so i just started blocking every single request with id=1
i need to like force every request to go thru a js challenege
i thought thats what under attack mode did but i was wrong
@Sloth
The useragents are valid useragents
and they are randomized
i think i already give challenges to http 1.1
yeah look
the rule is named after you
because you said i should put this in LOL
@Sloth
its already been in there
the only reason my backend isnt like
severly crippled rn
is because i blocked all their requests on /?id=1
yeah
i used to have it
on a different domain
it was pretty nice
@Sloth quesiton
if the waf goes in order
how come this is not blocked by the http version filter i have
its blocked by a different rule
wait i know why
it only blocks if the useragent also does not contain mozilla
so ill remove that for now
yeah that worked really well for me @Sloth good call out
all of those requests were on http 1.1
lucky. my attacks and legit traffic is all http/2
The people attacking me are dumb
Idek who they are
But they are attacking the same query
So I can just block that if I wanted to
LOL
Mine seem to be bypassing managed challenges completely doesn't even say they solve them
Wtf
#WAF managed challenge bypassed?
That’s wild
and thats one of my tiny attacks
It’s probably something with ur config
Why r u getting attacked
Do you know?
probly the YT channel that owns us ¯\_(ツ)_/¯
I am having a really tough time managing my issue they look like legit browser sessions they have legit looking referers, a very diverse user agent source, diverse headers
is there anyway in cloudflare to like
look at the tls fingerprints
or somethign
or a way to like block ips if they pass a certain amoutn of rules broken
idk :/
what i used to do
to like temp fix the problem is just disable and change the subdomain
LOL
@Frerduro
is it possible that your server is allowing requests from outside of cloudflare
on my server the only inbound requests allowed are from cf ips
both aren't possible
yeah i m not an expert tbh
i dont know what id do in your situation
:Pain:
i have an ss of like
a billion requests in a day
on a ddos