Countermeasures against DDOS attacks

Dear all,
in order to improve our security posture against DDoS attack, we are trying to better understand which tools/configurations, at Cloudflare level, we can implement.

What we have understand from the docs that we read from your website is that the typical DDoS attacks are “managed by default” from Cloudflare.

What we are not completely sure is that our configuration in Cloudflare is adequate and harden enough.

For these reasons, we would like to understand if, in term of prevention, detection, information and reaction there are more configurations/actions that we could put in place.

Let me do some examples to better explain the meaning of our request:

  • As I wrote we think that our configuration is well tuned for our needs, but to increase our confidence is there is the possibility to audit our ruleset ?

  • Assuming that for some scenarios it is not possible to further strengthen the configuration, we would like to understand if and how is possible to detect (always within Cloudflare) and to be informed of a DDoS attack.
    Is it possible configure alarms on Cloudflare ? Is it possible to identify an attack by analyzing the logs that can be obtained from Cloudflare ?

  • Finally, considering that for the majority of our public URLs, we expose APIs to other applications, are there methods to be able to react and mitigate a possible attack ?
    For example the “I’m under attack” button in our case (API) does not seem appropriate to us, because there is no human interaction with our URLs.

Thank you very much in advance for your explanations.

Pedro

Hi Pedro,

AFAIK, the tools available to harden your security against DDoS are basically:

Access for non-public areas
Firewall for public areas
Rate Limiting

In my WordPress websites, for instance, I use Access to protect the following areas/files:

/wp-admin
/wp-login.php
/xmlrpc.php

Access then requires authentication before allowing any visitors in. There’s no log on the UI that tells you how many people tried to get in. You’ll see this working by examining the origin server logs and comparing before/after the policy implementation.

Access can also be used for areas accessed via api. (Please see https://developers.Cloudflare.com/access/connecting-to-apps/service-token/)

The Firewall app contains Firewall Rules, Managed Rules (WAF) on Pro plan or higher, and Firewall Tools.

FIrewall Rules can be set using many parameters and will generate a log (Under Firewall > Events) for each event, sometimes more than you would wish. The log, though, is not very useful, as it only allows filtering by IP, Ray ID, or a mysterious Rule ID, which is nowhere to be found.

You can set Firewall Rules for specific behavior patterns, such as:

(http.request.uri.path contains "/whatever/" and not http.referer contains "example.com" and not cf.client.bot)

Which would block attempts at getting to /whatever/ not coming from either example.com or a known bot. Rules can of course be a lot more complex than that.

Under Firewall Tools, you can set simpler rules based on User Agent or IP, to either block, challenge, JS challenge, or whitelist. Any events generated here will also be logged under Firewall > Events.

I’ve never used Rate Limiting, but if your website is under DDoS where the behavior or the IP/UA is hard to match, or impossible to block without hurting your legit visitors, then you may need to implement it.

There’s a recent app called Logflare by @chasers that adds logging capabilities, you may wan to check that out.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.