Constantly Under Attack (How to stop them?)!

Hi guys, My name is Kiko, I will showcase you a problem that is bugging me out:

The attack started 2 or 3 months ago, but the thing is that I can’t see any spike at Cloudflare analytics, neither with google analytics or anything else, pretty weird, I did upgrade for one month the Cloudflare subscription and did not work, I tried to use every last tool from here haha.

If I turn off the “Under Attack Mode”, my server CPU goes in flames, almost literally, I have 4 core 4GB RAM SSD VPS server at Scalahosting and at most user usage is around 80%, but when I turn off this protection, it goes to 20, 30, 40, 50… OVER USAGE of the cpu (watch the pic).

I have configured everything that I can here at Cloudflare and in my server with security plugins like WordFence and scavenged the internet for a solution, but couldn’t find one, that’s why I’ m here.

Did someone experiencie something like this weird attack? According to my users this 5 seconds load screen is starting to freak them a little bit, I would like to solve this, any help will be really apreciated.

Folks of the Internet please help me out! And if you need anything, just ask, will be here replying till this is covered.

Thanks! -Kiko-

This is weird.
If the first one is true, the attackers are hitting your backend directly and bypassing Cloudflare.
If the second one is true, the attackers are hitting Cloudflare, and that’s good since we can build measures to mitigate the attack.

Are you still on the Pro package? Can you show the dashboard analytics?

I don’t think any of these plugins will help you despite their claims. DDoS attack mitigation should never be done within the server itself.

2 Likes

Thanks for the fast reply!
I downgraded since I couldn’t see any improvements.
Sure, here is the dashboard:
Web Traffic:

Bandwith:

Unique Visitors:

Threats:

Let me know anything else that could help.

Thanks!

There is quite an apparent detection given how high the Threat count is. The PRO package isn’t of much help to automatically mitigate DDoS attacks; however, it has handy logs that can help build firewall rules that mitigate the attacks.

If you go to Firewall overview, you should see a log of events. Can you post some of the challenged/blocked requests in detail?

1 Like

Thanks for the explanation, Sure!

Here are some of them:

This IP is from my server, don’t know really why it appears:

Another one:

One blocked (this seems an error, Cloudflare should have let the guy watch the page?):

Another one:

One more:

And the last one (there are 72k logs more):

Thanks for the help!

I realized that there are lot’s of these:

image

Yeah, however, given the HTTP version, I’m more inclined to believe those are legitimate visitors.

This one might be part of the reason that causes your CPU usage to be high; however, it’s quite hard to determine from an isolated event.
I would suggest upgrading to the PRO package to gain better insights; however, even after that, there is a risk of us not being able to spot the malicious requests.
The high number of threat counts is a good indicator that we will be able to tell what’s wrong; however, I insist that I can’t give you any guarantees :sweat_smile:

1 Like

Thanks for the info! Will try in a near future to get the Pro Cloudflare upgrade and research into this.

Could I ask for some file usage at the hosting? ScalaHosting does have 24h live chat, they are really great. What should I ask for?

Ultimately what helps diagnose attacks is aggregating all the logs and having them on multiple graphs; anomalies typically shine unless you are dealing with a massive customer.

If you want to remain on the free plan, you could use workers and send logs to Grafana. Alternatively, you could collect and send logs from your webserver to grafana periodically.
Example:

1 Like

Since your Threats analytics panel points MX as the top country for threats, I’d try to filter Country equals MX in the Firewall > Overview to see it that brings some patterns you can use to form a firewall rule.

And of course you can always try to simply JS challenge all visitors from MX, instead of using IUAM for the whole website.

Wow! That looks insane, I would love to use that analysis tool, will search for some tutorials to set it up.

Will be trying it out and later on I will come here to share results.

Thanks!

That’s a really good idea, will try that too!

Thanks!!

Later on will come back and share if it worked!

1 Like

Hi! I have an update, Could you share your thoughts on this?

I did try many things, and one of was to bypass my own server’s IP with a rule, to see if it’s something wrong with him, I created a rule that would let my server IP to bypass every rule and firewall configuration, even with under attack mode activated.

Then my server went on flames as it has been doing if I disable Under Attack Mode.

What could this mean? I don’t really understand what my OWN IP could be doing…

Thanks!

I found something weird… The rule catched these actions from Wp-Rocket

image

Then I searched for somethings, and this might be causing the high usage on my own server… It wasn’t a DDOS attack, this post explains something. Could it be the problem?

Post:

2 Likes

Yeah, that would make sense. It’s odd that they have such an aggressive warmup tactic, seems like an overkill but I’m not familiar with how the caching of the other plugins might work.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.