It wouldn’t surprise me terribly much if someone very clever or hard working figured a way to solve the first CAPTCHA or JS Challenge that opened the door to that same IP address DoSing the server. But a Rate Limit rule should fix that. Granted, you’d be charged for good traffic, but that should stop the DDoS.
It might be worth experimenting with that for 24 hours before it gets too expensive.
Unfortunately ever since hcap was implemented, attacking the captcha is much easier and cheap. The comparison captcha is very easy to attack if the attacker digs a bit into computer vision and ml.
JS Challenge has been improved over the last year or two but it’s still vulnerable against some tweaked headless browsers.
@user3930 We need information about the DDoS attack, photos of your CF dashboard would already be handy to get started.
Also, consider using iptables or windows firewall to drop non-cloudflare connections, this will drain fewer resources than having the webserver drop the connection.
If you want to try things out by yourself while waiting for somebody to help you out, I recommend checking a post I made a while ago (self plug ).
Also, as @sdayman suggested, rate limit is a good resource to use when the attacker is capable of solving captcha and the js challenge.
If nothing of the above works, then you will need to tweak CF to only accept the most granular legitimate traffic, blocking the rest.
First, make absolutely sure that your server blocks any HTTP/S connections not coming from the list at cloudflare.com/ips
been implementing this but I realized it’s not an option for me (at least with iptables) because I m using a sub domain that cannot pass through cloudflare proxy (streaming).
I have been reading about a way to setup nginx in a way to forbid any connection outside of cloudflare, and this at the server level. that could be more interesting for my usage but it needs a geo module I do not have compiled
In this case, the best option would be to allow only connections that have a valid host header. You can check nginx docs to implement this, it’s fairly easy.
Typically for streaming, you have streaming servers. You should consider separating your website server and your streaming server, that way, at least the main website would be protected against DDoS attacks.
Yesterday I tried to implement this at nginx server level since I can’t do it globally with iptables and honestly I do not know what to think of Cloudflare…
I made sure my A and WWW record are proxied, but even though they are, I get 403 forbidden all the time, meaning when I visit my site, I m apparently not coming from Cloudflare?. I added my ip to the list to make sure the setup was working and got access immediately. So I don’t know what to think
Actually I kinda got the same problem if trying with iptables. I have a domain that can’t be used with cloudflare (a free ddns.net) and if I setup the iptables rules then the firewall is effectively blocking me access to that domain. With the domain on Cloudflare it somehow works but doesn’t seem reliable, takes like 10 15min to time out the connection if not using the cf’s proxy
listen 443 ssl http2;
listen [::]:443 ssl http2;