Normally DDOS attacks for me come from specific ASNs that are mostly proxies/servers but I have recently have been seeing normal ISPs world-wide take a whack at my setup. When I reference the ASNs and check things out most are normal ISPs. Much of these attacks are coming from eastern part of the globe.
I would like to stop them so I’m not forced to load-balance so early, these attacks are insane. I can’t block every ASN on the planet especially those that are true ISPs.
Attacks are literally 3-6K unique IPs and trying to hit a few million requests a minute, it’d not be cost effective to add more servers to swallow that.
Would Cloudflare pro help or what should I do. This service is working epic but these attackers keep trying harder and harder. Maybe CF can check my account and see what took place and how to stop it.
I’ll add that server usage is generally 1-5% CPU (single core), it sucks when I go from regular usage to let’s be discord all in a second… lol
Also Cloudflare did block me from their site during my DDOS episodes when wanting to update my WAF. So I don’t know if Cloudflare is getting massively hit or what but I was blocked from the website for several minutes when things were going south.
Ensure you’re restoring original visitor IPs to see the true source of the traffic.
Set up rate limiting rules to automatically block or challenge suspicious traffic.
Create custom firewall rules to challenge or block traffic from regions that are contributing to the attack.
Consider using Cloudflare’s “I’m Under Attack” mode if the attack is severe.
How you do each of the above are outlined in the post above. If the attack is bad, turn on under attack immediately.
Then, dig into the logs to figure out where the attacks are coming from. Rate limit them, block them using rules. This post gives the same advice and has links to the dash (that will work for everyone) pointing you to where to see the logs, what to look for and where to block them, My website in under DDos attack.
I’m doing all of that @cloonan so I’d like to know what my next best route is, I’m managing the best I can, I laugh at most DDOS attacks but experiencing some insane stuff where it’s too unique to determine. I won’t lie I’m blocking so many hosts sending attacks I’m nearly at my limit. Pro would help but I don’t know if it’ll stop the attacks I can’t stop on high alert and my WAF settings with many ASNs…
Under Attack Mode (though I’m set to high already) when that mode is on it does nothing, they all manage the challenge. This is some nasty bot work. I have to block hundreds of ASNs and IP ranges cause they are malicious like that.
I’m not a huge site so wonder if PRO will help against these extreme style attacks. I’m also unsure why Cloudflare had thrown me a block when I was under these attacks, I literally received 25+ DDoS attack Detected messages via email from 4:48PM all the way up to 6:20PM. I can only do so much; I block one entire network it’s the next, I can’t keep blocking users being a new site. This kind of sucks however cause I can’t properly do anything it seems once it’s all figured o ut.
Can anyone confirm is pro would help out more, I wonder because I can run more servers for front end or go pro and eventually get more servers. What’s best and I’d love to know by someone who can see my firewall and determine best action.
Hi @cos the pro plan will give you a bit more security features (super bot fight mode, more rules, a bit more granular waf control). It may be worth enabling it for a month to see if super bot fight mode and the managed rules helps to mitigate the attack.
I did not dig in to the attack data or current rules, but before you upgrade for one month to try pro, you could enable Bot Fight Mode
There is also a rate limiting rule & and other WAF tools that you could try with the existing plan.
I was able to respond fast enough but damn near stressing, like what is this!? Could Cloudflare get behind this and maybe improve the “anti DDOS ruleset” this is absolutely too wild and a site destroyer.
Wow! Those are some sky rocket high numbers from the last screenshot
Wonder what kind of interest is it, or rather some forum, app, crypto stuff?
From the screenshot, by the last few IPs these are the know ASN from which bad traffic also comes. If you host things over there, then block the ASN and allow only your server IP, if so via tha Access Rules.
Nevertheless, some helpful Firewall tutorials here:
To be honest it’s just a many to many conferencing video/audio broadcasting platform for people all over, it’s a hobby project, nothing sketch haha. Normally seeing about 3.2K-4K unique users a day to this about 1,000-2,000 requests each over time.
Yeah I’m doing invalid methods to links, bad ASNs, bad IP ranges, and a tons to ensure it’s legitimate traffic. It wasn’t easy but seeing those who hit above 2K entries in 30 minutes was a good start. haha.
I’ll peak around for information but this DDOS wasn’t a joke, this was absolutely messy too many IPs so many differing ASNs from phone/internet/tv companies to all sorts that prove legit… not cool lol.
I also suffer from massive DDoS attacks on a regular basis that can pass the challenges. One thing that has helped a lot is setting a 10 second blocking rate limit for IPs that exceed an amount of requests much higher than any normal user possibly could.
Oh I went insane with the block, Rate-Limit, ASN (Proxy/Host) block, IP specific and range on confirmed attacks. Just had to upgrade to pro for more rule-sets. Rate-limit was able to help much of the attacks for instance yes, 10 second check for maybe 50-100 requests and block for 1 minute is most reasonable response and through filter determining who’s most legit. So in 30 minutes no user should have over 1,000 requests normal use and I went ahead and blocked appropriately.
The biggest lead factor in my blocks is that no proxy/host can be used, so if a service sells servers or anything of the sort; it is blocked upon detection.
Fortunately in my case the attacker used all their resources in the first few attacks allowing me to filter/block so each round became extremely less, catching the attack within 30 minutes to several hours allowed me to check for the many connection requests to easily break it down in coarse of few days.
I’m still attacked daily with email reminders of such but 50K RPS+ attacks are all mostly blocked.