How often does this happen (from Facebook)? Is your site being specifically targeted? How long do these attacks last? Do you think it’s the same perpetrator each time or a random attack using FB?
This is a manual process that requires watching the CF firewall, but what I would do is add a firewall rule to block access to the IP address AS Number (32934) for the duration of the attack (this will cover not just that one IP address, but any other FB IP address). Just watch the firewall rule page for when the attack traffic dies down and then disable the rule to allow legitimate access from FB again. You could probably code something on your server to automatically enable this Firewall rule via the CF API when this traffic is detected, and then set an automatic timer to disable the rule for the average duration of the attacks.
- hundreds of requests per minute, server fails.
Also, as mentioned above, most web servers should be able to handle “hundreds of requests per minute” without failing. Maybe this needs to be investigated? What’s the actual rate of the attack? What web server are you using (Apache, NGINX, etc)? Is it a (shared) virtual server and can you increase the resource size of the server?