Cloudflare not stopping DDOS Attacks

Hi,

We are getting hammered by traffic to our site, all signs point to a DDOS.

The problem is that even with Under Attack Mode on, almost all of the traffic is still hitting our server.

Is it possible that the attacks are bypassing Cloudflare alltogether? Our Security Ninja Plugin shows 19,000 blocked visits in 12 hours, but Cloudflare has only blocked about 1000.

Hi @matthew6,

It is entirely possible that the requests are bypassing Cloudflare, if you haven’t blocked connections that don’t come through Cloudflare.

Unfortunately, Cloudflare can’t stop everything automatically, and definitely not if the connections bypass them all together. Have you checked out Under DDoS Attack! First steps and the support article linked from there?

1 Like

Thanks for the reply. I have read that article, it helped a lot. It is just strange that I set a Firewall to block an IP address, but it still gets through. I am going to work with our server to see what can be done.

No problem, yes - unfortunately if the server doesn’t reject non-cloudflare connections then it can be bypassed.

The ideal is to block any connections that don’t come from the Cloudflare IPs. Alternatively, you can do something like Stop Cloudflare bypassing on shared hosting with workers.

3 Likes

If it’s layer 7 application level attacks which it seems to be, then need to use layer 7 tools CF provides like CF WAF, Firewall rules & CF Rate limiting. Layer 7 mitigation can’t be 100% automated as CF can’t 100% know if the requests are legit or not without you telling it via hints i.e. CF WAF/Firewall Rules, Rate limiting.

You can use rate limiting and/or CF workers as to protect your origin. But CF rate limiting cost more than CF workers so might as well let CF worker bear the brunt of it if you have CF worker which does caching to protect your origin. Of course if your CF worker is not setup for caching to offload work from origin, then you’ll incur CF worker costs and still overload your origin

  • CF rate limit = $50 for 10 million good requests
  • CF workers = $5 for 10 million worker requests

You can also setup fail2ban on origin server and configure it to talk with CF Firewall API so fail2ban jail rules you specify for bad request type traffic gets banned and the IP ban gets sent to CF Firewall via API to ban at CF Firewall level.

For instance if your origin Nginx server is setup with rate limiting of say 10 requests/s to /register.php link for same IP it will log rate limit log entry in your nginx logs. If you setup fail2ban to read that nginx log looking for that match, then you can ban that IP that hits 10 reqs/sec to /register.php and configure fail2ban to talk to CF Firewall API to pass on that banned IP to CF Firewall which will ban the IP at CF edge server.

Ensure your origin web server is setup to restore real visitor IPs as seen by your origin web server and web app. See links at https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

But if attacker knows your origin web server’s real IP address (via leaked IP i.e. mail headers), then no CF protection will help until you change your web server’s real IP and plug all possible ways your origin web server’s IP can leak to public

This topic was automatically closed after 30 days. New replies are no longer allowed.