Add rate limit option based the origin server's response code

Hello,

Please solve ASAP this VERY frustrating issue.

It seems like CF focus mostly on the requests side of the HTTP/S traffic and neglects the responses from the origin servers, hence not completing the session cycle, to give us better monitoring and security.

My sites are low traffic ones, few hundreds of requests each day.

Yesterday I begun to get alerts from my origin server’s monitoring system about high CPU usage for a long time, so I also checked CF – and I found a single Internet IP address that was probably scanning my sites, hence it produced a peak of origin server responses of 404 (requested object not found).
I have a rate limiting rule, but I guess this IP scanned in a lower rate hence didn’t trigger this rule. Also, remember that currently rate limiting rules are based only the requests, not responses.

Currently, AFAIK, I have no way in CF UI to set a rule to detect such activity based on response code from the origin server and set a security action towards that activity and its source IP.
It may be possible using CF API - Rate limiting parameters · Cloudflare Web Application Firewall (WAF) docs

The funny and sad thing – CF already collect the origin server’s response data, for a sliding window of 24 hours (see attached screenshots)! and shows it at “Analytics & Logs > Traffic”, CF has this data! It is just to link it with the CF WAF system, I guess the rate limiting section.

We need to be able to create a rule in the spirit of “If a source IP gets back from the origin server 30 replies of response code of 404 or 403 for a period of at least 30 seconds – block it or better, ban it from specific site or whole domain for X minutes (or Y hours)” (or even instead or in parallel – add and action to add this IP to a ready CF IP list, one that users set to be input to a rule that block bad IPs)

Please, please – add such an option to help us effectively stop the bad guys!



2023-10-12 13_47_18-Window
2023-10-12 13_47_11-Window

1 Like

That option is available in rate limiting today on the Business plan or higher.

1 Like

Thanks cscharff, nice to know.

Can you share a link to CF web page stating this?

Why not in the pro plan? I can see the commercial reasoning for this, but as a pro user I can only be sorry about this and I think it should be CF’s benefit to have it also in the pro plan as it can lower traffic volumes towards the CF infrastructure, and better flag bad source IPs for IP reputation.

1 Like

OK, I found the plan availability at Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs.

I think this info should be part of the commercial plans comparison page, at Our Plans | Pricing

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.