About flood or ddos

Hello

I m wondering exactly what does CF do.

I have (and will) suffer a massive attack. so in response, I activate the “under attack” mode… no change.

I make a firewall rule, I ban all countries except mine: for 5 min it seems to work then nothing.

I m back to the under attacks setting and I setup a challenge every 5min instead of 24h . same, works for 5min and then , same again.

I setup all the world except europe to have to complete a captcha in the firewall rules instead of the js challenge. No effect whatsoever…

so my question is… are those botnet capable to go through all your defense mecanism but just adjusting their attack or am I doing something wrong?

Regards

First, make absolutely sure that your server blocks any HTTP/S connections not coming from the list at cloudflare.com/ips

How “massive” are these attacks?

1 Like

do you have any tutorial at hand to setup this blocking rule in nginx?

I only have something about translating the cf’s adresses

http {

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;

set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;

Blockquote

This is best done in IPtables. Your config snippet is restoring the original visitor IP address for logging purposes.

https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-

3 Likes

actually I didn’t mentioned it but I looked at the list of the ip making the most connections.

I used this

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

and those ip resolved to Clouflare ISP

     42 172.70.34.75
     43 172.70.82.223
     44 172.68.110.153
     45 172.68.238.33
     46 172.70.82.205
     48 162.158.202.245
     49 162.158.195.133
     49 172.70.147.183
     53 172.70.143.86
     53 172.70.147.43
     55 162.158.251.53
     58 162.158.195.141
     58 172.70.142.37
     58 172.70.143.116
     62 162.158.251.209
     62 172.70.143.60
     69 162.158.251.107
     76 162.158.251.19
     93 172.70.147.13
    118 198.41.231.58
    120 162.158.195.143
    125 198.41.231.188
    127 198.41.231.194
    135 198.41.231.116

It wouldn’t surprise me terribly much if someone very clever or hard working figured a way to solve the first CAPTCHA or JS Challenge that opened the door to that same IP address DoSing the server. But a Rate Limit rule should fix that. Granted, you’d be charged for good traffic, but that should stop the DDoS.

It might be worth experimenting with that for 24 hours before it gets too expensive.

1 Like

Unfortunately ever since hcap was implemented, attacking the captcha is much easier and cheap. The comparison captcha is very easy to attack if the attacker digs a bit into computer vision and ml.
JS Challenge has been improved over the last year or two but it’s still vulnerable against some tweaked headless browsers.

@user3930 We need information about the DDoS attack, photos of your CF dashboard would already be handy to get started.
Also, consider using iptables or windows firewall to drop non-cloudflare connections, this will drain fewer resources than having the webserver drop the connection.
If you want to try things out by yourself while waiting for somebody to help you out, I recommend checking a post I made a while ago (self plug :sunglasses: ).

Also, as @sdayman suggested, rate limit is a good resource to use when the attacker is capable of solving captcha and the js challenge.

If nothing of the above works, then you will need to tweak CF to only accept the most granular legitimate traffic, blocking the rest.

3 Likes

I think if the users are supposed to make specific settings for Cf’s to be effective, we should be provided with some scripts that would setup the host firewall for example.

I m using a firewall, (arno-iptables-firewall) and I am pretty sure it already include a rate limit rule.

For more on DDOS attacks, see the following articles
https://support.cloudflare.com/hc/en-us/articles/360053233231-Understanding-Cloudflare-DDoS-reports
https://support.cloudflare.com/hc/en-us/articles/360053216191-Understanding-Cloudflare-DDoS-alerts
https://support.cloudflare.com/hc/en-us/articles/200170196-Responding-to-DDoS-attacks
https://support.cloudflare.com/hc/en-us/articles/200170166-Best-Practices-DDoS-preventative-measures
https://support.cloudflare.com/hc/en-us/articles/200172676-Understanding-Cloudflare-DDoS-protection
https://support.cloudflare.com/hc/en-us/articles/115002059131-Understanding-your-site-protection-options
https://support.cloudflare.com/hc/en-us/articles/203020124-Recovering-from-a-hacked-site

Hope those help!

1 Like

First, make absolutely sure that your server blocks any HTTP/S connections not coming from the list at cloudflare.com/ips

been implementing this but I realized it’s not an option for me (at least with iptables) because I m using a sub domain that cannot pass through cloudflare proxy (streaming).

I have been reading about a way to setup nginx in a way to forbid any connection outside of cloudflare, and this at the server level. that could be more interesting for my usage but it needs a geo module I do not have compiled

In this case, the best option would be to allow only connections that have a valid host header. You can check nginx docs to implement this, it’s fairly easy.

Typically for streaming, you have streaming servers. You should consider separating your website server and your streaming server, that way, at least the main website would be protected against DDoS attacks.

3 Likes

Yesterday I tried to implement this at nginx server level since I can’t do it globally with iptables and honestly I do not know what to think of Cloudflare…
I made sure my A and WWW record are proxied, but even though they are, I get 403 forbidden all the time, meaning when I visit my site, I m apparently not coming from Cloudflare?. I added my ip to the list to make sure the setup was working and got access immediately. So I don’t know what to think
Actually I kinda got the same problem if trying with iptables. I have a domain that can’t be used with cloudflare (a free ddns.net) and if I setup the iptables rules then the firewall is effectively blocking me access to that domain. With the domain on Cloudflare it somehow works but doesn’t seem reliable, takes like 10 15min to time out the connection if not using the cf’s proxy

server {

    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include /usr/local/nginx/conf/allow-cloudflare-only.conf;
# https://www.cloudflare.com/ips
# IPv4
allow 131.0.72.0/22;
allow 172.64.0.0/13;
allow 104.24.0.0/14;
allow 104.16.0.0/13;
allow 162.158.0.0/15;
allow 198.41.128.0/17;
allow 197.234.240.0/22;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 108.162.192.0/18;
allow 141.101.64.0/18;
allow 103.31.4.0/22;
allow 103.22.200.0/22;
allow 103.21.244.0/22;
allow 173.245.48.0/20;
allow 131.0.72.0/22;

# IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;

deny all; # deny all remaining ips

I would suggest you to take a look at using CrowdSec for this: How to beat application DDoS attacks with CrowdSec & Cloudflare - The open-source & collaborative security solution. It’s free and pretty effective to combat a problem like yours in that it adds those blocking firewall automatically based on what it sees in your webserver logs.