Automatic setting for "Under Attack Mode"

Hey there,

I apologize in advance if this has been mentioned already but I couldn’t find anything.

I think it would be of great use to have an automatic setting for the “Under Attack Mode”. Said setting would be equal to “I’m under attack!” when the site actually is under attack and automatically change to represent “Essentially off” / “Off” when it isn’t.

Looking forward to hearing your feedback,
Simon

And what specifically would trigger the Under Attack mode?

Isn’t this essentially just the rate limit function? It starts blocking requests after a certain number from an IP Address. Not sure how else you’d automatically block requests if you’re getting DDOSed, other than having a function where it automatically switches on ‘under attack’ mode on the rate limit.

I don’t really use Cloudflare’s rate limiting (or security, for that matter, I have my own server-side protection, I just use it for caching) but it’s not really clear how it would be triggered.

That’s something I would definitely leave to people much more technologically fluent than I am.

However, I suppose artificial intelligence would play a key role in this task. The past data of the user’s account would be analyzed, and in the case of abnormalities (firewall activity, requesting countries, total requests, etc.), the setting would be turned on. Once the threat is gone it would automatically turn off. With the user being able to supervise the ML model and correct it in case of false positives/negatives, I can see it gaining great accuracy in no time.

I’ve just briefly explained a possible triggering mechanism in my reply above.

The rate limit setting is incomparable to what I am suggesting. Assuming a large enough pool of unique connections, you can still suffer DDoS damages when using the rate limit feature.

On the other hand, if a DDoS attack is stopped in its tracks and detected by the system, the damage could be limited and possibly non-existent.

I like your thinking and you have a good point. Artificial intelligence seems like it could have great potential in this situation, but I don’t see something like this being rolled out until a few years time. Obviously, developing something like that is very complicated.

Additionally, I doubt it would be available for free tier users.

1 Like

ML is going to have a real hard time differentiating between a Good abnormality, and a Bad one. If your site gets slashdotted, or some other viral exposure, you sure don’t want all that traffic hitting the challenge wall unnecessarily.

I do like the premise of a Waiting Room where you can set some sort of threshold of traffic where excessive traffic gets penned until existing traffic exits.

1 Like

ML is usually very CPU-intensive and there are alternative “cheaper” data streaming algorithms that can be used with similar levels of success in identifying attacks.
Ideally, IMO, I’d want to get rid of Under Attack mode entirely. It is a blunt tool that impacts user experience. I hope that in the upcoming months we’ll be able to provide more tools in the dashboard to configure and finetune automatic DDoS protection.
All UAM does is issue a challenge for every user, so you could definitely create a rate-limiting rule with similar logic.

2 Likes

My dream is to have logs of suspicious, but allowed traffic, and then pick a datapoint to filter out that kind of traffic. If one is under attack, I’d expect a ~1-second snapshot of traffic would provide quite a bit of data and not be so CPU intensive.

1 Like

Cloudflare’s new waiting room feature effectively does this.

As does Bot Management.

and bot fight mode

More :hammer_and_wrench:s in the :toolbox: coming soon.

2 Likes

Theoretically, won’t bots abandon Waiting Room pretty quickly, thus allowing legitimate users virtually no wait time to get into a site that’s under attack?

It depends? One large consumer (prior to teh Covids) of this type of functionality was concert / venue promoters to deal with ticket scalping tools. The scalpers may still ‘win’ more than consumers might like, but they are less likely to overwhelm a promoter’s website in the process.

No single magic bullet to bots for better or worse. One could probably create much more effective bot blocking tools, but like captcha they’d have an impact on real users. Disclaimer: I’m have no idea what I’m talking about really… not a data scientist by any stretch :smiley:

1 Like