So I’ve been DDoS’d 3 times today. I use a service to receive email alerts whenever the site is down (error 502 for example), recently I’ve been receiving a lot of fake requests which overwhelms the server’s CPU resources and results in a bad gateway error.
What can I do to resolve this? I’m already using Under attack mode, WAF, Rate limiting (with captchas) and the like. None of which is stopping over 2 million fake requests in an hour for exhausting server resources.
What do these fake requests look like? A Firewall Rule might help with this.
What tools does Cloudflare provide that let me see the actual requests after they happen? As far as I know I can only browser the details of these requests while they’re happening through the Firewall tab.
Block the IPs/IP Ranges.
But how can I locate the IP ranges, what logs are available for me to do so?
You said you got the logs/resources? Ban those IPs that are making the requests.
No I don’t. And all the logs on my nginx server are unrecognizable since they are traced back to Cloudflare.
Go into your server somehow and figure out a way to record IPs and block them. Shut your server down and analyze your requests and network?
All the IPs are linked to Cloudflare in the nginx request logs. Why doesn’t Cloudflare have a reliable logging system? I’d have to workaround the default way Cloudflare works when it logs IPs.
And I don’t understand why I have to block IPs themselves since rate limiting should be preventing these requests.
It could be bot systems, I’m not really to sure how to help if you can’t get ahold of the IPs.
What are the consistent common requests?
You could rule it to a filter?
Hi @3245093,
You could captcha challenge all visitors with a firewall rule temporarily, then look for a pattern in the requests in the firewall events log and then narrow down the firewall rule to reduce the impact on genuine visitors.
Cloudflare does have a logging system, but at the Enterprise level. Or you can try logflare.app
NGINX can be configured to restore visitor IP addresses to get you the info you want (scroll down to the NGINX section):
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-Logging-visitor-IP-addresses-with-mod-Cloudflare-
Yes, the problem is it’s hard to analyze these requests without a dashboard of some kind. I could try this, but I’m not sure if the request even matters. Just the number of requests is the reason my site is going down with bad gateway. So maybe firewall on the web server would help since Cloudflare for some reason isn’t blocking these requests with rate limiting?
This topic was automatically closed after 30 days. New replies are no longer allowed.