All websites in cloudflare account getting ratelimited incase of DDOS attack
Hi, I own multiple domains and manage multiple services for relatively small businesses / hobby projects. I recently experienced a skid who thinks he is funny that tried stress testing our websites. It was not necessarily with malicious thoughts in mind but more to inform us if something is not able to withstand an attack, altough he does (jokefully?) threaten to take all of our services offline. The skid tried out multiple attacks and I have noticed a couple of things during them. Depending on the size and nature of the attack it seems like different things happen.
1. If an specific endpoint is targeted on the website that specific endpoint will be unresponsive for all users but the other ones (even the ones on the same (sub)domain will stay alive.
2. Sometimes it looks like a (sub)domain gets rate limited, as our other services will continue to be functional.
3. In the case of larger attacks all requests to all services that are owned by our account seem to go unresponsive.
Have I miss diagnosed anything here? I would find it weird that all of our services are unresponsive in case of an attack on 1 domain even if the services are running on different hosts. In our case we have all of our services set up with a zero access tunnel except for a handful which still use normal proxied dns records to our origin server.
And to be clear, this is already so much better then without cloudflare. Our origin server barely notices any (malicious but in this case also legitimate) connections going trough and no hardware of us is put at stress which is very big improvement from previous attacks we have experienced. I was just wondering if there would be something to do so that even if 1 domain gets attacked, still have preferably all, but at least the other domains functional.
5 Replies
Oh yeah. I now know the basics about cloudflare but im still pretty new to everything. Apologies if I got some stuff horribly wrong.
if all the domains are using the same origin, then yes it is possible to impact multiple domains of yours because the origin will be overloaded.
and unfortunately, rate limiting is a zone level configuration so you cannot apply it to all your zones at once.
you'll just need to deploy multiple rate limiting rules across all your zones or block the actor using other characteristics.
with origin server you mean my main server handling the web requests right?
because thats the funny thing, I got 2 different origin servers running and if 1 of them gets hit all services running on both of them go down
yes.
I would have a look at the links between them then. are they both using the same data store? or passing requests between each other? there will likely be a link there if that is the case.
Oh yeah you are right there are some links
We have a main page that was getting hit with ddos traffic but that makes request to an api running on the other server