502 DDoS Attack

I’m recieving a ddos attack while in IUA mode. It is 120Million requests in the past 24 hours and cloudflare hasn’t stopped the attack. Cloudflare is unaware of the bypasses available for their services?

1 Like

Domain?

1 Like

there is a lots of topic like that with many ways to stop layer 7 ddos attacks

Right now the site is loading.

Have you made sure these requests really go through Cloudflare and are not bypassing it, hitting your server directly?

it is loading now because it’s not being ddosed. when it does, my login gets a 502 from a overflow of traffic. The attacker is bypassing cloudflare UAM whenever I have it on. Rate limiting does nothing also because it’s over 10k IPs

Also, rate limiting wont really work with a truly distributed attack.

yes these requests are going through cloudflare because I’m seeing it on my dashboard for cloudflare and logflare

Considering they seem to bypass IUA they are likely to run a crawler with a JavaScript engine.

Is there anything you could base a block on (country, ASN, user agent, etc.)?

It’s random ASN, some even residential, random UA, and 100million requests the past 24 hours so…

I presume you already had your security level on High, right?

yes, my security level is set to high at all times and I have cache everything enabled

Hmm, cache everything should actually offload a lot, at least for those requests coming through the same data centre. Also, as far as I can tell the caching actually works.

Could it be that they are breaking the cache with a query string? Are you ignoring the query string in your cache settings or are you using the standard method?

Can you post an excerpt from your log containing these requests?

I can not at the moment but will in a hour or two.

ok here is a example of the attack
{
“request”: {
“cf”: {
“asn”: 23352,
“clientTcpRtt”: 6,
“clientTrustScore”: 1,
“colo”: “ORD”,
“country”: “US”,
“edgeRequestKeepAliveStatus”: 1,
“httpProtocol”: “HTTP/1.1”,
“tlsCipher”: “ECDHE-ECDSA-AES128-GCM-SHA256”,
“tlsClientAuth”: {
“certPresented”: “0”,
“certVerified”: “NONE”
},
“tlsVersion”: “TLSv1.2”
},
“headers”: {
“accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3”,
“accept_encoding”: “gzip”,
“accept_language”: “en-US,en;q=0.9”,
“cache_control”: “max-age=0”,
“cf_connecting_ip”: “75.102.5.42”,
“cf_ipcountry”: “US”,
“cf_ray”: “525ba6f18c12e1fe”,
“cf_visitor”: “{“scheme”:“https”}”,
“connection”: “Keep-Alive”,
“host”: “projectkyros.com”,
“upgrade_insecure_requests”: “1”,
“user_agent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36”,
“via”: “1.1 localhost (squid/3.5.20)”,
“x_forwarded_for”: “155.138.148.214”,
“x_forwarded_proto”: “https”,
“x_real_ip”: “75.102.5.42”
},
“ipInfo”: {
“city”: “Chicago”,
“country”: “US”,
“hostname”: “unknown.ord.scnet.net”,
“ip”: “75.102.5.42”,
“loc”: “41.8882,-87.6164”,
“org”: “AS23352 Server Central Network”,
“postal”: “60601”,
“region”: “Illinois”,
“timezone”: “America/Chicago”
},
“method”: “GET”,
“url”: “https://projectkyros.com/login
},
“response”: {
“headers”: {
“alt_svc”: “h3-23=”:443"; ma=86400",
“cache_control”: “no-store, no-cache, must-revalidate, post-check=0, pre-check=0”,
“cf_cache_status”: “DYNAMIC”,
“cf_connection_close”: “close”,
“cf_ray”:

One sample is not really sufficient.

But do they all target “/login”? That particular path does not seem to be cached, though you probably cant cache to begin with.

they all target /login and the query is empty
“clientRequestHTTPHost”: “projectkyros.com”,
“clientRequestHTTPMethodName”: “GET”,
“clientRequestPath”: “/login”,
“clientRequestQuery”: “”,
“datetime”: “2019-10-15T03:01:13Z”,
“rayName”: “525e8bf29b89d34e”,
“ruleId”: “43dfc0a1156e4c1abb65bccf626a2641”,
“source”: “firewallRules”,
“userAgent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36”,

You seem to process the login at “/do_login.php”, so technically you could also cache “/login” - assuming you are not displaying the username upon a failed login, which you do not seem to.

Though details definitely depend on your implementation and thats something your web developer should have a look at.

How would I cache a php page?

The same way you are caching your site already, via a page rule.

Post a screenshot of your page rules.