Cloudflare is useless! 7 Days since my website is down - Paid Plan Customer

I have been under attack consistently for 7 days straight. Its a consistent heavy ddos attack. I upgraded my server, changed ip 5 times, bought a paid plan from cloud turned on the waf, under attack mode was already on, hoping it will bring down the attack but nothing changed. i also tried user agent and ip blocking still nothing changed. Looks like i wasted my money because i thought cloudflare was reliable but it is not. I am very frustrated. Here are the screenshots 150 million requests and 525GB data transferred.

1 Like

Can you share the ip block screen shot and maybe the name of the domain?

domain is https://xxx.xxx.xxx and what do you mean by ip block screen? you mean firewall event log page?

Btw my server’s cpu usage is 100% and ram is also above 80% used

Events would be great or a screen shot of the rules you are using to try and block.

this is the analytics page

this is useragent blocking rule
cloudflare3
(http.user_agent eq “Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36”) or (http.user_agent eq “Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML, like Gecko) Version/7.2.1.0 Safari/536.2+”) or (http.user_agent eq “Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 5.2)”) or (http.user_agent eq “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62”) or (http.user_agent eq “Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.9.168 Version/11.52”) or (http.user_agent eq “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36”) or (http.user_agent eq “Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.9.168 Version/11.52”) or (http.user_agent eq “Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13”) or (http.user_agent eq "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 ") or (http.user_agent eq “Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19”) or (http.user_agent eq “Mozilla/5.0 (compatible; WOW64; MSIE 10.0; Windows NT 6.2)”) or (http.user_agent eq “Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13”) or (http.user_agent eq “Mozilla/5.0 (Android; Mobile; rv:14.0) Gecko/14.0 Firefox/14.0”) or (http.user_agent eq “Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27”) or (http.user_agent eq “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27”)

1 Like

This the firewall log a few seconds ago



In the start i tried to block ip. it was somewhat effective but became useless after sometime. I also used rate limiting which also proved useless because it didn’t have any effect to bring my website back online.

Thank you. Can you/did you set your origin firewall to block traffic not coming from Cloudflare? This will force all requests to go via Cloudflare. The IPs you should whitelist are found here https://www.cloudflare.com/ips. On first glance it looked like some of those IPs were being challenged, but was viewing on small screen and looking through details now to look carefully.

Next you may want to set a a firewall rule with captcha challenge for the top countries and assuming it’s bots, the top ASNs as well. Can you loop in Support? I’d like to get a better look at the details they can give us.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you give Support a link to your Community post with some of the basic details, they can pick up the specifics. Here’s a bit of background on Cloudflare Support for reference:

3 Likes

I agree with you
cloudflare is totally useless
my site has been under attack for the last 10 hours and i tried everything you did try but it didn’t work

1 Like

I already did. I am getting only cloudflare ip to my server. Funny thing i enable captcha for all countries and it showed captcha to everyone but still it didn’t stop the attack. I don’t know why but captcha do stop the bots. I also successfully identified all the user agents the ddos attacker was using, i added them to block list and again it never worked. Now i m out of options.

I have created a ticket. My ticket number is Request #1734545

1 Like

Btw i enabled captcha for all countries today and it started to work now.

Edit 10 minutes later: Now its not working. site is down again. it seems like he is able to bypass captcha.

I made a similar experience.
Recently my site started to get attacked. The under attack mode did not detect anything even though there where a lot more requests coming in and they were coming from all around the world.
I deployed a firewall rule which challenges every non common country and a few seconds later my site was working again.
However today, around 2 weeks later, the attackers somehow managed to get around the google captcha. The only solution was not to challenge those uncommon countries but to block them completely.

i cant block countries like usa and europe because most of my legit traffic comes from there.
Btw the attack i m experiencing is very sophisticated. that guy is able to bypass captcha and user agent blocks easily. he is unstoppable. every hour i m getting 5 to 6 million requests and its been happening since 7 days.

Hi @masterm2013310, I see the reply from support indicating IUAM has successfully blocked the request and the suggestions to configure based on your needs:

  • Enable I’m Under Attack mode outright for the entire site.
  • Enable I’m Under Attack mode for specific pages or sections of your site using a page rule (you can check your access logs to see which pages are being attacked).
  • Conversely, use a page rule to disable I’m Under Attack mode for areas of your site broken by I’m Under Attack mode or known to not be attacked.
  • Enable I’m Under Attack mode (or other challenges) for specific ASNs (hosts/ISPs that own IP addresses, e.g. Amazon has an ASN, Cloudflare has an ASN, Comcast has an ASN, etc - useful if a majority of attack traffic comes from a specific host), countries, or IP ranges using the IP firewall. Some customers use tools like fail2ban to automatically ban IP addresses that request at a rate heavier than you are comfortable with.

@farooq.ustrana, did you enable the rate limiting rules & set your origin firewall to block traffic not coming from Cloudflare? It looks like the attacks have abated for now.

@cloonan for now the attacked has stopped but he will be back. Rate limiting will cost me thousands of dollars if i enable it. I enabled it a few days ago but it didn’t worked. Cpu usage was still 100% and funny thing was that cf allowed more than 10k legit requests (not legit in reality) to pass thru within 5 minutes.

can u suggest something that can work in my situation? i mean look at my logs, traffic pattern and suggest me a solution. user agent blocking also not working ua-block

@farooq.ustrana I hope things have calmed down for you. Can you please update the community with happenings since you last post? I am sure that many of us monitoring here are concerned (as I am) by the experience you had.

Did CF tell you why they could not sustain the attack?
Is your plan level supposed to mitigate the scale of the attack that was thrown at you?

I just implemented CF to protect our websites (they have minimal traffic to them, however still liked the idea of the protections CF claims to provide).

Your experience with CF is VERY troubling to me and I would REALLY like to here a postmortem of sorts.

I was even considering protecting other protocols or even entire network with CF using the new “magic transit” or if that is too costly to use CF “spectrum” product to do some of the protections for other protocols.

Thank you in advance!

1 Like

@israel1 My site is down again. Ddos attack is start again after a few hours break (remember it wasn’t stopped by cloudflare). 2 million requests/h. I have attached a screenshot.
Cloudflare suggested Rate limiting in their reply which is not working. I am out of options now. I really am. Dont know what to do now.

Things i have learned >>> I am under attack mode is totallllllllllllllly uselesssssssssssssssss
Rate limiting >>>>> USELESSS
Captcha >>>> USELESS

Now i m waiting answer for my support ticket and then if nothing helps then i will try some ddos protected servers from ovh or some other company.

For now i am disappointed with cloudflare’s service

andddddd now i am {redacted} . Rate Limiting was totally USELESS yet i will be charged for 100k supposedly legit requests (not legit in reality) that passed as legit users to my site within 10 minutes of using rate limiting. Imagine if i had kept it on for a few days, you can do the math. Thank god i turned it off in time. I think for me its time to move on to a real ddos protected host. Dont get fooled by the {redacted} fancy {redacted} like i am under attack mode which gives you the impression that you are behind some high end next level protection. for me it was a total nightmare.the wait time for ticket reply is above 8 hours. Here is the rate limiting screenshot that i was charged for. Good me for me that i turned it off on time.

Yes, I understand why you are frustrated and I would be as well. I guess I need to look for another provider as well as CF is not reliable.

Did you reach out to your data center or hosting partner? Many of them offer DDoS protection and may be able to assist here.

I guess another question is are you using a shared hosting, cloud server or a dedicated server?
What are the specs.
Are other ports and services exposed (SSH, RDP, Mail, etc)?

What I would do at this point is block traffic from ALL countries except USA in the portal and see if you can slowly bring traffic down.
You can slowly open other countries.
May not work but I think its worth a try.