Cloudflare IP Firewall Limitations?

firewall
api

#1

For Cloudflare IP Firewall Access Rules are there any limits as to amount of Firewall Access Rules there are per site zone or globally within a Cloudflare account ? Are there any limits on the Cloudflare API i.e. rate of usage ?

I ask because if you use Cloudflare IP Firewall via API for setups like fail2ban usage Integrating fail2ban with Cloudflare API v4 instead of default v1, there could potentially be 1000s of fail2ban banned IPs being added to Cloudflare IP Firewall via the Cloudflare API.

thanks

George


Increasing Cloudflare Firewall Rule Limits
Cloudflare not registering as an attack and not passing real IPs
#2

Good question. Currently here are the limits we provide for the various plan levels: https://support.cloudflare.com/hc/en-us/articles/200434798-How-many-IPs-can-I-add-to-rules-in-the-IP-Firewall-

So in the cause of fail2ban automation for a single free site, it might make sense to have a shorter ban period.

Certainly welcome to feedback from customers and partners on those limits and on other strategies we might consider for allowing customers to tweak access.

We do have a few new features coming which I think will help in thwarting bad actors, but they haven’t been publicly announced yet, so you’ll have to stay tuned. :slight_smile:


#3

thanks @cscharff

hmm though limits seem kind of low for very active fail2ban usage :frowning:

I’ve fended off a small 1.5Gbps DDOS attack from wordpress pingback from 10k sites ~ 10k ip addresses on regular non-DDOS protected KVM VPS server with CSF Firewall/ipset and bad bot/user agent blocking/rate limiting. VPS handled it at 50% utilisation, just web host found it unacceptable heh.

DDOS attacks are the rise especially at Layer 7, so not sure how useful such small Cloudflare Firewall Rule quotas would be moving forward.

looking forward to anything that improves things :slight_smile:


#4

was thinking about this some more, maybe the idea of max and burst limits ?

so you could have for free plan 200 or 1000 max hard limit and then 10,000 burst limit which purges down to hard limit after 24-48hrs ? or something along those lines


#5

The limits make sense though. Later today I’m upgrading to Cloudflare Pro with Cloudflare Rate Limiting so that’ll solve a lot of my current problems. Being a target sucks but there’s only so much you can do with Fail2ban and Cloudflare IP Blocks. Regardless of what you may have setup it still takes a little while for it to activate the rules and that short period is enough for a botnet style attack to harm your site. Cloudflare can do the rate limiting scaled across 115 data centers rather than your one tiny server. Of course the IP Bans are still effective if you’d like to stop a user who is trying to brute a login panel with fail2ban.


#6

But blocking isn’t same as rate limiting and rate limiting could end up being quite expensive for 10s of million of requests ~$50 per 10 million rate limited requests. At some point/level of request rate, you’d want to block rather than rate limit those bad requests. Though you can configure those blocks via Cloudflare rate liming.


#7

You are only billed for allowed requests. If someone is HTTP GET FLOODING you, you aren’t billed for those requests.


#8

Yeah that’s what i mean 10 million allowed requests = $50 - it’s still a variable cost.

example if 25,000 unique ips make only 1 request/s per unique ip to a matching rate limit rule url = 25,000 requests/s over 1hr = 90 million requests/hr and if rate limit was even 10 requests/s per unique ip, all 90 million allowed requests would be billable as far as i understand it so that could cost US$450 as per https://support.cloudflare.com/hc/en-us/articles/115000272247-Billing-for-Cloudflare-Rate-Limiting


Rate Limiting Billing & Analytics
#9

Can a Cloudflare Team Member specify whether we are billed for requests allowed if the IP breaks a rule?

I.e: 50 requests per minute. IP sends 51. Are we bill for the 50 requests since those were technically allowed?


#10

example in linked billing for rate limit explains it https://support.cloudflare.com/hc/en-us/articles/115000272247-Billing-for-Cloudflare-Rate-Limiting

For example, given a rule that matches example.com/ratelimit/* and blocks clients that send over 30 requests per minute:

Client A sends 20,000 requests to example.com/ratelimit/foo at a rate of 10 requests per minute. All requests are allowed.

Client B sends 80,000 requests to example.com/ratelimit/bar, usually at a rate of 10 requests per minute, but with bursts over 30 requests per minute. 50,000 of their requests are blocked during the bursts, and 30,000 are allowed when their request rate is lower.

Client C sends 20,000 requests to example.com/elsewhere at a rate of 40 requests per minute. While this exceeds the theshold, it doesn’t match the rule path, so all 20,000 requests are allowed.

In this example, 50,000 requests are billable: clients A and B both sent requests that matched the rule, but some of client B’s request were blocked, and those blocked requests were billed. In total, the cost is (50,000 - 10,000) * $0.05 = $0.20.

whoops i re-read that and says blocked requests are billed not allowed requests but the first part of explanation says good allowed requests so contradicting each other LOL

What is billable for Rate Limiting?

Rate Limiting is billed based on the number of good (not blocked) requests that match your defined rules across all your websites. Each request is only counted once so you will not be double charged if a request matches multiple rules.

blocked requests make sense, but billed on allowed good requests would be insanely expensive


#11

You are right that the article is contradicting. This is correct:

Rate Limiting is billed based on the number of good (not blocked) requests that match your defined rules across all your websites.

I have updated the article to indicate that blocked requests are not billed, thank you for pointing that out!


Rate Limiting Billing & Analytics
#12

thanks @Martijn for clarification so indeed my example Cloudflare IP Firewall Limitations? is correct, 90 million allowed requests/hr = $450/hr billed :astonished:


#13

Look for some additional insights into rate limiting rules to be available soon, and rules can always be deployed in simulate mode to try to understand the impact/efficacy. And in general I think it’s not a bad idea to try to be as specific as is reasonable when it comes to pattern matching to protect against specific threats (e.g. brute force attacks against username).

Also one minor point of clarification:

Cloudflare’s DDoS protection and Web Application Firewall (WAF) solutions. Cloudflare charges based on “good” requests i.e requests that match a rule you have created and are allowed to origin servers.

These are requests “to origin servers”. So the more content we can serve to you from cache the less you have to worry about server load/resource exhaustion (or billing).


#14

any updates of new features ? or any plans for revising the Cloudflare Firewall IP limit strategy ? i.e. having hard limit + burst limits Cloudflare IP Firewall Limitations?


#15

I understand the idea of making money on different tiers…but in the case of security…its in Cloudflare and customers best interest to be able to gather as much data as possible. Limiting the ability for banning ip’s effectively limits the data cloudflare can use to predict future attacks. The more data Cloudflare has the stronger it will be to predict bad ip’s to not cache data for and block effectively lowering Cloud-flare costs and improving its speed.

  1. Suggesting not limiting the bad ips rules
  2. Creating unlimited page rules for all tiers for a specific page rule called “Black hole.”

I constantly see repeated attack methods of bots looking for file patterns. If there was a way for me to create page rules for the bad request patterns that point to a “black hole”, then Cloudflare could quickly monitor the black hole actors and even more quickly gather bad ip data.

IMHO two really big opportunities being missed.

That said still love Cloudflare and look forward to your response.


#16

+1 yup… hope there’s plans to raise the limits or something


#17

i cannot login to website that use cloudflare please helpme !


#18

Open up a Support Ticket at support.cloudflare.com or email them at support AT cloudflare DOT com from your account’s email address.

If you’d like more help here, please provide more information, such as domain name and the error you’re seeing.


#19

oke thankyou i will try to contact them