Am I still under attack?

#1

I came under attack a few months ago and have been using Cloudflare ever since. I have activated “I’m Under Attack” on my free Cloudflare account which places a holding page in front of any requests to my website or blog. It’s severely affecting other services such as PayPal and BlogLovin from working with my site and I’d really like to know if the attack is still ongoing and if I can switch off “I’m Under Attack”. Is there a way of doing this through logs, etc, without just giving it a go???

Thanks,

Jason.

#2

Have you already checked out https://dash.cloudflare.com/redirect?zone=analytics/security?

#3

I have looked at this page but I am unable to really understand what it is telling me. I know that sounds strange, but it shows 78 threats in the past 24 hours, most of which are bad browser but I am unable to translate that into whether the DDos is still active. Are there any tell-tale signs that I should be looking for?

#4

The Firewall section here has a Firewall Events log that might show you some activity. If it looks quiet, you can disable under attack mode, then live-watch your server log for activity.

If there’s an attack, and you’re lucky, you can look for a common trait you can filter out with Firewall Rules.

Another approach would be to create a Firewall Rules that will Challenge anybody who’s not BlogLovin or PayPal. Hopefully they have an easy-to-identify User Agent String.

#5

Thanks for your thoughts. The Firewall Event Log shows a number of bots and crawlers, mostly Bing, Google, Pinterest, etc. Nothing untoward in the past few hours but all actions taken are allow.

Does that sound like it might be worth a try??

#6

I’d give it a try, but immediately start watching the server logs for excessive activity. Also check the Analytics page (Security tab) for attack stats.

#7

The server is hosted as a shared resource by a third party company and I don’t believe I have access to their logs (unfortunately).

Are there any other Cloudflare logs I should be reviewing?

Thanks.

#8

No Cloudflare logs. Even Shared hosting should have some sort of access to your server activity logs.

#9

You could disable IUA and enable at the same time a firewall rule which JavaScript challenges all requests. That should be effectively the same but should display attacks in the firewall log (which IUA does not AFAIK). Then you could gradually loosen the firewall rule to only block attacking requests.

#10

Any advice on how I select all requests in a new firewall rule as I don’t see that as a single option? Should I select all POST or GET requests instead?

#11

You need to have a filter, but you can have something simple like

(http.host contains "yourdomain.com")
#12

Here goes…

closed #13

This topic was automatically closed after 14 days. New replies are no longer allowed.