Block GET requests with cache-buster query string?

There is a DOS attack from multiple IPs that are requesting the home page - plus a 20 char random query string to bypass the cache.

Is there any way to block this on the free plan? I wish I could use “cache everything” and “ignore query string” together. Or can I block with a firewall rule, matching any 20 char query string?

Examples of the attack - from many IPs / random user agents:

GET /?l7kS4RA0ezrOVbxGz08j
GET /?xwqXFLXgDQYPZqEOH70h
GET /?grow5UHgZHexxyZMDJ5J

Thanks!

How about a firewall rule for path = / and http.request.uri.query does not equal supersecretstring, then block? I’m on mobile and can’t experiment, but this should get you close.

That’s actually a really clever idea!

However … it would block some legit requests, such as clicks from Google Ads that ad ?gclid=xxxx.

Page rules appear to have * as a wildcard, but I really want something like regex, or just matching query strings of exactly 20 chars…

Without a higher tier plan, you’ll have to manually map out your rules, so you can exclude gclid from a query string test.

So I just solved it on my server with:

if (strlen($queryString)==20 && strpos($queryString,"=")===false) {    
    $arr = array("https://www.fbi.gov/investigate/cyber","https://www.ic3.gov","http://www.fsb.ru/","https://www.efccnigeria.org","https://mvs.gov.ua/en/");
    $k = array_rand($arr);
    header("Location: " . $arr[$k]);
    exit;
}

This detects any 20 char query string without an equal sign (my app only uses k=v params) and 302 'em to the FBI, FSB (what the KGB became), Interpol, etc. Heh.

Now they are just fetching the home page without a query string and now Cloudflare is caching everything, so no load on my server!

(The only bad thing is now my analytics are hosed - the ‘unique users last 24 hours’ was a very important business metric for me, now I need to start using Google Analytics or something else instead. Unless there is some other solution to block such bots from the Analytics report?)

I have since blocked “Country=Tor” but you can see thats only 90% of 'em:

Analytics dashboard … once very useful and I checked every day … now useless …

1 Like