If it’s layer 7 application level attacks which it seems to be, then need to use layer 7 tools CF provides like CF WAF, Firewall rules & CF Rate limiting. Layer 7 mitigation can’t be 100% automated as CF can’t 100% know if the requests are legit or not without you telling it via hints i.e. CF WAF/Firewall Rules, Rate limiting.
You can use rate limiting and/or CF workers as to protect your origin. But CF rate limiting cost more than CF workers so might as well let CF worker bear the brunt of it if you have CF worker which does caching to protect your origin. Of course if your CF worker is not setup for caching to offload work from origin, then you’ll incur CF worker costs and still overload your origin
- CF rate limit = $50 for 10 million good requests
- CF workers = $5 for 10 million worker requests
You can also setup fail2ban on origin server and configure it to talk with CF Firewall API so fail2ban jail rules you specify for bad request type traffic gets banned and the IP ban gets sent to CF Firewall via API to ban at CF Firewall level.
For instance if your origin Nginx server is setup with rate limiting of say 10 requests/s to /register.php link for same IP it will log rate limit log entry in your nginx logs. If you setup fail2ban to read that nginx log looking for that match, then you can ban that IP that hits 10 reqs/sec to /register.php and configure fail2ban to talk to CF Firewall API to pass on that banned IP to CF Firewall which will ban the IP at CF edge server.