Booters have a way to bypass Protection

Hello,

I just found that visitors can bypass : i am under attack, WAF Challenge, or any other security rule i can set.

Who knows how to fix this ?

1 Like

I have to admit that I didn’t check all individual IP addresses from your screenshot, - however:

Are counties like Bulgaria, Colombia, Honduras and Kazakhstan relevant for your website?

If not, you could try setting up some WAF rules that are only allowing certain country codes (or certain continent codes) in to your site.

Are you still running with the exact same IP address on your server, as you were back before you ran your website over Cloudflare?

If so, there is a chance that the attackers have your IP address already, and therefore are able to bypass Cloudflare security settings, by attacking your server directly.

If the above, with country/continent code filtering isn’t helping either, and that you still see attack traffic appearing from these countries that are blocked (or not allowed), I would lean towards that your server’s IP address may have leaked somehow, and that the attacker therefore is able to send the attack traffic directly.

I just found that visitors can bypass : i am under attack

This is expected when the attackers can afford to use js emulators or browsers to solve/pass the challenge.
There is nothing you can do other than setting up firewall rules to block (not challenge) the attack and rate limiting rules.

If the attack persists and your firewall rules dont have any effect; do let us know and maybe we can provide some rules to help mitigate the attack.

What plan are you on? Can you share your WAF analytics?

Also – are you restoring original visitor IPs in your server logs? If not, then the attack is hitting your IP address directly, bypassing Cloudflare. You can stop this by only allowing connections from Cloudflare IP ranges to your web server ports.

1 Like

Yes i restore vistors IP and i have a Pro plan.
Also i do block those country’s and they still are able to connect, so it looks like Cloudflare is still bypass then.





As you see alot of finland:

They could still be hitting your server directly by IP address. Your best bet would be to block connections to ports 80 and 443 except traffic from Cloudflare addresses. Then, if these connections are bypassing Cloudflare, they will stop.

I already only allowed CF, but i have fixed it with a WAF rule:

(ip.geoip.country not in {“NL” “BE”} and http.request.uri eq “/*”) and then interactive challange

6000 total requests over 24 hours from one country doesn’t sound like a huge amount. What was the attack rate in requests per second?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.