Cloudflare DDoS-Protection not working for me

Hello,

I’m under attack since a few days. I used Cloudflare Analytics to analyze the attacks. 99% of the malicious traffic seems to come from China, India and Russian Federation. As a result I created a Firewall rule which blocks traffic from these three countries. In addition I’m using “Under Attack” mode to challenge everyone.

The firewall works as seen below.


They seem to be attacks on web-application level, because my Apache server ist not responding anymore, but my server is up. Thus I also enabled Rate Limiting.

However, my webserver keeps getting offline… It seems CloudFlare does not block all traffic from this countries. Is the firewall to weak or need I upgrade to Pro/Business for better protection? Can anyone help how to block these attacks?

Thank you.

Well, are these requests still from these countries? Have you absolutely ruled out that they bypass Cloudflare and send requests directly to your server?

Have you absolutely ruled out that they bypass Cloudflare and send requests directly to your server?

Yes, for sure. Nowhere mentioned my real server IP.

Well, are these requests still from these countries?

Okey, after checking again, you are right. The attacks are coming from all over the world. Its a huge botnet attack. How to handle such situations?

Whats the domain?

Do these requests have anything in common? Can you post a log excerpt? If even IUA did not stop them, that would suggest they either run a full-fledged JavaScript environment or one of those IUA crackers.

Whats the domain?

Please understand that I do not want to reveal that.

Do these requests have anything in common? Can you post a log excerpt?

Here are two excerpts of the CloudFlare Firewall Log. It seems they sometimes use fake User-Agents like GoogleBot, Yahoo, MSN and so on. I cant block these, because it would block the real Google crawler as well I guess? And in 95% of the cases, they are simple GET requests with inconspicuous user agents. Path and Query String is always empty.

If even IUA did not stop them, that would suggest they either run a full-fledged JavaScript environment or one of those IUA crackers.

Yea I think so. However, when I turn on Under-Attack mode, it sometimes seems working… but not that effective. Its a 50% 50% chance of getting a “Connection timed out” error or the page loading at least 30 seconds to show up…

That seems to be mostly Asian countries plus the Ukraine, Russia, and Brazil. Assuming your main audience is not from there you could impose a captcha challenge for all these countries. This might reduce the number of requests hitting your server as well.

Yes, thats a good idea, thanks. I now created a captcha challenge rule for all countries except those my main audience is coming from. I hope this helps. Keeping you updated once I see the results.

This topic was automatically closed after 30 days. New replies are no longer allowed.