Attack and No mitigation action triggered

We were experienced attack few days back , it was recognized as a attack but no mitigation action was triggered hence , cpu util went very high on the server. We are having managed rules of the WAF , no custom rules defined. My understanding is these kind of attack ( guess it was http amplifier ) , default managed ruleset will take care , but looks it was not , is there something i have missed or do i need to add custom rule → WAF Attack Score Class – > attack → block , Please help

image

Guys , Any help here Please

It also depends on what kind of attacks you are seeing. On the screenshot you provided, Cloudflare system doesn’t see this is malicious (Malicious = No), therefore Cloudflare might not mitigate it.

If you believe this is an attack, you can create a Firewall rule, Rate Limiting rule to block it.

If you are having DDoS attack, To stop the attack immediately, take these actions:

  • Deploy firewall rules and rate limiting rules to enforce a combined positive and negative security model. Reduce the traffic allowed to your website based on your known usage.
  • Ensure all DDoS Managed Rules are set to default settings (High sensitivity level and mitigation actions) for optimal DDoS activation.
  • To protect your hostname against attack, you must enable the Proxy Mode on the DNS record for the hostname. Check this documentation for more details.
  • Enable Under Attack Mode under the Overview section. See What Does Under Attack Mode Do for more information.
  • The HTTP DDoS Managed Ruleset protect your website against DDoS attacks. The rules may have various default actions. If the DDoS Managed Rules have triggered, ensure the rule action is Block. Refer to our guide on DDoS false negative for further details.
  • To find out if your origin server IP is exposed, use online tools such as Censys. Hide your origin IP address from direct attack by proxying traffic to Cloudflare. Learn more here on how to block other IP addresses.
    -Enable caching as much as possible to reduce the strain on your origin servers, and when using Workers, avoid overwhelming your origin server with more subrequests than necessary.
  • Enable DDoS alerting to improve your response time.

Thanks @hollynghiem

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.