How to turn off DDOS protection on R2?
My cached endpoint is returning cloudflare ddos protection from my application when there is high traffic and it is very annoying. Do I need enterprise?!
55 Replies
If you're talking about an R2 Custom Domain, check Security -> Events and see what service is challenging/blocking the requests, Magic Link: https://dash.cloudflare.com/?to=/:account/:zone/security/events
@Chaika
it's not a ddos...
Over 200 of my users got blocked
from my own application sending myself requests
can i whitelist all ips or something. this is cached on cdn so i have no interest about stopping ddos
@Chaika should i be sending a user agent?
Or does this work?
You can lower the sensitivity of Http DDos with an override: https://developers.cloudflare.com/ddos-protection/managed-rulesets/adjust-rules/false-positive/
Cloudflare Docs
Handle a false positive Ā· Cloudflare DDoS Protection docs
A false positive is an incorrect identification. In the case of DDoS protection, there is a false positive when legitimate traffic is mistakenly ā¦
you probably should be though yea
It is not 1 false positive.
Even myself got blocked
How can I do this?
opps I meant to reply to "should I be sending a user agent"
The DDoS protection is always on. You can follow that false postive guide to lower the sensitivty
Based on the Rule ID in that one blocked event, it looks like the specific one flagging you is "HTTP requests with unusual HTTP headers or URI path (signature #61)."
How can i turn this ddos protection off. It doesn't work it blocked the creator of the app even š
I'm not sending a useragent
is that why
You can't turn it off. You can only lower the sensitivity of it. Did you follow the false postive guide to deploy an override?
I was thinking of sending a chrome useragent
To circumvent the firewall
I wouldn't impersonate a browser, I would just send a custom one
can you tell me what headers
cloudflare likes/wants me to send
I can't, no, I don't know the full list. Obvious ones like impersonating browser user agents/faking them/having empty can cause issues.
I would go the other way and deploy a ddos override as suggested above. You can target that specific rule and lower the sensitivity
i did deploy a ddos override
and i still got this
do i need enterprise?
i read to disable ddos
i need to get enterprise
did this accomplish ddos bypass?
no but I would wager it just needed a second to update if you changed the sensitivity
the whole ddos pipeline is a complex thing sampling only one out of a thousand requests and such
i already had everything to lowest
sensitivity
weeks ago
Enterprise can change the action to Log
what does skip mean, my assumption is skip firewall?
you already had a ddos override, and you could see that specific rule at essentially off sensitivity?
just that it matched your custom rule and skipped specific components you selected
yep
it dazzles me why anybody would care about ddosing
cached cdn files lol
this shouldnt be a thing
Yea, CF would mitigate it eitherway though because it costs their resources/network stability
how much is enterprise usually?
Interesting though, do you see a spike in analytics/think someone actually ddosed you alongside this? Would make some sense if your normal requests got captured up in a rule to mitigate the actual requests
no we just had a flash sale
and many api requests
were sent from our app
depends on the features you want and traffic. I wouldn't expect less then is a few thousand usd/month base though
few thousand :face_flushedrollingeyes:
basically
we had
200k api reqs
sent to the cdn at once
like within 1 min
and they all got blocked
even devices that only connected
1 time
(my personal device and phone 4g)
are they proxied through the app/coming from your backend or just using the app's http library and thus no user agent?
they are coming from the app
and they have no headers
because i dont want to use unnecessary bandwidth
it seems "skip"
here is kipping the firewall
Just want to note this has no user agent
That's a pretty good bot indicator
Unless you're doing some weird proxy to R2 and not properly passing headers, this block at least seems legit
Oh you replied to that, yeah I'd forward client headers
I'm sending no headers intentionally yes. Which headers do you suggest i add, just user-agent?
All of them
What does all of them mean sorry? I'm not using a webapp
This is a javafx native gui
The request is being initiated
from the GUI
It's not a forwarder or anything
like are you referring to all of them like matching a browser?
Aren't bots smart enough to set a user-agent header?
ok it's not getting blocked sending user agent mozilla for now
would it be best
to set up like a small server
and just whitelist that ip directly?
then it wont ever get ddos blocked
okay
i'm sending postman useragent
to be safe lol
Custom Rules won't skip DDoS mitigation/DDoS Mitigation Rules. It runs after DDoS Protection so you'll only see the skips when http ddos isn't blocking it/otherwise you'd see http ddos blocks
Oh
What user agent would you use in your app
i just dont know what to set it as
if i leave it as
java http/client
that is used by some ddos attackers tooI would just use your app name / version / platform. Having something is set is better then being empty, and I wouldn't impersonate browsers
user-agent:
dwaynapp / 1.0.2 / windows
good? @ChaikaStack Overflow
What is the standard format for a browser's User-Agent string?
Is there an RFC, official standard, or template for creating a User Agent string? The iphone's user-agent string seems strange...
Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; ...
Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; ...
this is browser isnt it
š
okay
i'll go with this
if it blocks with this then idk
cani. whitelist my own ua
That ietf rfc that specifies formats is just about http semantics in general
kk sure
i for sure cant whitelist my own ua?
Enterprise could, I don't think any lower can.
you don't have any other weird/non-standard request headers, yea?
nothing
0 header
@Chaika what do you think about using a whitelabeler
like digital ocean spaces
which uses cloudflare as cdn
they have an option to turn off firewall
is that because they have enterprise?
I would have to understand the context to say more but yes Enterprise can set their Security Level to Off which disables a lot of security stuff including at least some http ddos stuff (although not the lower l3/l4 stuff)
are you able to lookup my endpoint or something
and see if it's off
if digitalocean can turn it off fully
then should be all good
no community champs are not employees, and that's not something even an employee would do from discord
ah ok
thanks for helping me
i just tested a few million requests with a user agent
and it worked
i'm shocked a ddosser does not know how to set a user agent lol
Telling apart automated good vs automated bad requests is hard lol
If it helps, from what I understand, Cloudflare runs a few services at Edge and in Core which collect samples all of requests. They sample pretty high (only one out of a thousand requests in some cases) and analyze headers/content, and if thinks it is malicious and over a threshold, it deploys a mitigation rule to edge matching the signature, and blocking all further requests with that signature. Eventually that rule goes away until it is needed again.
https://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/
Which matches your description/what you've seen, you got a spike of traffic with that empty user agent header and CF deployed a mitigation against it, blocking all, until traffic calmed down again. So hopefully that's the end of it if you start sending user agent and aren't doing any other weird http header/path things, at least in terms of that one rule.
That's just one of the heuristic/blocking rules though. There's other more dynamic ones like known from botnet based on various signatures/fields. If any attack is big enough to actually hurt CF, you know they'll craft something special to nuke it
isn't it as costly for cf to return a 403 blocked message as it is returning a cached json?
in fact, my cached json is even smaller than the cf blocked 403
both message are cached from edge
It doesn't know or care about that, and it blocking it ends the execution early, and if the attack is highly volumetric they'll start blocking at a lower level (L4/IP Jails)
so do you think it would make sense to completely disable the ddos on edge cached r2?
because it costs the same and makes 0 difference
0 chance of downtime for customers
no, I don't think it makes sense logically. If you mean in your case, then if it's having false postives if there's no other way then maybe, but hopefully properly setting a user agent fixes that