At this point I’d assume the network saturation is the biggest issue. Did your provider address that?
You need to find the common denominator between these two networks. Probably another 7 or 6 network. I’d highly suggest Classless Inter-Domain Routing - Wikipedia in this context.
Sort of? It seems to be better than It was last night in terms of users being able to connect and not get errors constantly. Host also changed my v4 IP for free, which was nice, however If I disable the host firewall the NIC on my origin instantly gets saturated to 1gbps again. 
Thanks, I’ll give this a go. Wish me luck haha
103 and 104 are not ideal. 188 and 190 is probably better → 188.0.0.0/6
What exactly is this, and how would it help me? I’ve seen Workers are cheaper than Argo tunneling, but Workers seem like something I’d need to bake into my application.
Something like https://www.obytes.com/blog/avoid-cloudflare-bypassing-by-using-secret-headers and you’d need to configure your origin to reject requests that didn’t contain the correct header.
But if the attack is on the direct IP and the provider can’t mitigate the link saturation … not sure how useful that is going to be.
I don’t think Argo Tunnel requires Argo Smart Routing. See if you can set it up without enabling Argo Smart Routing, as I don’t see how they’d be able to bill you for traffic if you’re not using the smart routing subscription.
Workers run on Cloudflare’s side and the idea - as @cs-cf elaborated - would be to add a header for you to check for on the server, but you could achieve the same without Workers and client certificate authentication (Cloudflare calls it Origin pulls).
But all of that won’t really help in your situation as the issue does not involve Cloudflare in the first place.
Yeah, I’ll see if what Sdayman said could work. Pretty sure that’s my only option for preventing this in the future, even if I have to move hosting providers.
Argo
Argo is a service that uses optimized routes across the Cloudflare network to deliver responses to your users more quickly, reliably, and securely.
Enabling Argo activates Argo Smart Routing and Tiered Caching, reducing Internet latency on average by more than 30% and connection errors by 27%.
Argo Tunnel is also available upon activation. Use of Tunnel is optional; it protects servers from IP address exposure and attack. View the developer documentation to learn more.
This feature is a usage-based product. Learn more about how billing works for Argo.
It looks like I’d need to use Smart Routing before I can use the Argo Tunnel, so I’d be paying for it.
Argo won’t fix that either, as the issue is not Cloudflare related as I mentioned before.
You first need to sort out the link issues with your provider.
I would probably hop providers if I could use Argo
With a new IP address they couldn’t go for your server any more and you wouldn’t need Argo either.
My recommendation, get a completely new address, make sure it does not leak, and block on Cloudflare whatever needs blocking.
I got a new IP earlier today, it didn’t change the issue at all. I could still see that the NIC on my origin was maxed out. I have 0 clue how it could have got out, let alone that fast.
Then that address leaked as well. I assume you did challenge requests on Cloudflare and that did not change anything.
As long as they go for the server there is nothing on Cloudflare you could use to mitigate that.
I’ve seen that, but it doesn’t seem to be necessarily true.
Yeah, at the moment I’m in “I’m Under Attack” mode, which isn’t doing anything because as you say, they’re just going for the origin, and the act of blocking all these requests is just overloading the NIC.
Here’s the DNS for my site, is there anything here that jumps out to you as a misconfiguration?
Considering that all relevant records are proxied it should not have leaked via DNS, but then there are plenty of other ways too. A couple I mentioned earlier.
Yeah, mail seems to be one I see a lot, but I don’t run any mail servers.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
