Cloudflare not registering as an attack and not passing real IPs


#1

Hi,
today I noticed that my 2 websites in cloudflare were down (temporarily suspended for 24h, they have a limited request level of 30k, due to free hosting).

When I went to check the logs and Cloudflare analytics I noticed 93451 requests in each website from an IP in Germany, I know this is an attack because the person behind this had the boldness to say he was attacking, however, I don’t have any IP.

Is there any way to tell Cloudflare to block the requests from that IP as attack and black list it?

Sorry for posting here but I didn’t knew the correct category, if its not the right place, I ask an admin or moderator to move it to the correct place.

Thank you.


#2

What’s your Cloudflare Firewall Security level setting?

Also on that Firewall setting page, you can blacklist IP addresses, ranges, etc. and Challenge or Block them.


#3

Hi, thank you for your reply.

Right now I have turned my firewall security to under attack so that I can prevent the website from going down again when my host reactivates it, but it was set to the default value when the account is created.

I know I can block IPs in the firewall, but I can’t know the IP so I cant block it.

What I feel that is strange, is that it didn’t considered the requests an attack, despite most of that requests being made in around 5 minutes and the attack lasted 40 minutes, it didn’t even showed a cached page (that I had set to expire every 4h, now its set to 12h) since all the hits got trough to my host.

The attack according to google analytics:
it started at 11PM


#4

An attack (in Cloudflare’s terms) is something else than a lot of requests made by the same person in a short period of time. For an attack the requests have to be malicious (or come from a malicious source).

Have you thought about using page rules for more aggressive caching? That way less requests will hit your origin. Otherwise Cloudflare’s rate limiting feature can also help you in this situation.

A (temporarily) option would be the ‘under attack mode’.


#5

probably need to setup fail2ban type config or scripted cloudflare API on your backend origin server which can pass bad ips back to cloudflare firewall though cloudflare has limits on number of cloudflare firewall ips they can hold Cloudflare IP Firewall Limitations?


#6

Thank you all for your replies.

after some searching around Cloudflare and google, I wrote a small script that receives the IPs from Cloudflare’s CF HTTP headers and stores them during a week in a file.

That way I can can associate the data of page requests/sessions to its IP.

But now there is other problem, even requesting the IP from the CF headers, sometimes Cloudflare does not send the real IP and Country from the visitor, it still passes the Cloudflare IPs, like this sample from the file 162.158.64.206_US which correspond to Cloudflare IP’s.

And other times it doesn’t even send any info at all which leads to a registry like this in my file:

"Visitor: _ ; Session time of: 40min; CustomID: (my custom ids);"

In the place of “_” should be IP_COUNTRY, like “Visitor: 162.158.64.206_US;”

Any one knows something about this problem, of not sending the real IPs / Empty values?

Once again thank you all for your help.