Cloudflare and forum software e.g. phpBB

I run a phpbb forum and I’m getting constantly throttled by my host because of CPU spikes caused by bad bots trying to scrape the forum, register, reply to topics etc

These are not DDoS attacks, we are talking like 6000 hits in a single day whereas an actual attack will do this in literally a few seconds. But it’s enough to trigger throttling from the host (HawkHost) for CPU abuse.

If I get into Under Attack mode (IUA), this stops the problem, BUT visitors on mobile phones / smartphones are presented with a hCaptcha that takes up to a minute to complete, is unclear on the small screens, uses poor quality images, has terrible ergonomics (if you zoom in to see what the f is going on, you end up selecting all the photos). It’s just not workable.

So I cannot use IUA mode unless I want to lose all my traffic.

Meanwhile, bad bots are becoming almost impossible to identify… see for instance an article called Nearly 1/3 of bad bots are now using residential IPs

Bad Bots are using millions of constantly changing IPs from all countries, they lie about the User Agent, simulate browsers and normal users etc). Very difficult or impossible to spot them, so you now have to use reputational databases like the one Cloudflare uses on its paid plans, and that’s an option that I cannot afford (site does not have the revenue).

So because bad bots are so hard to identify, all of CF’s other tools and rules don’t work.

CF’s high security level in firewall settings is useless.

Stuck. Is this the death of online forums?

Are you sure that these requests are coming through Cloudflare? Have you set your host up to only allow requests from Cloudflare?

Pretty much. My site IP is not visible.

Analyzing my raw access logs, I can see that many of the bad bot accesses are to the “register” and “login” pages. I have now set up a page rule that uses IUA mode on just those functions. The rest of the site is now at medium firewall security. Will report back.

I can live with just those areas being hard to access for legit users. Not happy with the captcha … but beggars can’t be choosers!


This topic was automatically closed after 14 days. New replies are no longer allowed.