I would like to know if its possible to rate limit connections based on session cookies. I know I can explicitly add a rate limit if I already know the session id I would like limited but the attackers change that value regularly and I am hoping the detection of the session cookie value can be automated on cloudflare side instead of me having to detect it on my side and use cloudflare api to update the rate limit rule.
We use session cookies to track who is logged in etc. And the DDOS’s that we are experiencing is using that against us by randomly coming up with dozens of sessions values then using them each millions of times in a short amount of time (minutes). Which effectively consumes all our DB connections because each session is stored in one row in a DB table that has row level locking and since each session is being used in hundred of thousands of hits that causes the session DB to have to write to that session row serially.
What I want to accomplish:
Ideally there would be a way for me to say my session cookie name is “session” and if the same session value (a uuid) is used by more then X (say 20) ips within the same minute that all ips that try to use that session value will be blocked for an hour.
I can detect the session values on my side and interface with cloudflare api to create rules on the fly but I was hoping this feature might already exist but I cannot find it. I an very confident that if it does not exist this would be a very useful new feature to block this kind of DDOS attack (it must be common).
EDIT: This is where I see how to block based on a known cookie value but I need it to be automated.