Currently under attack


#1

My site is currently under DDoS attack since Friday 25th May. I have just set up a pro account with Cloudflare. Do I need to configure anything other that what has already been set up by Cloudflare? If so could someone please give me some guidance as to what I need to do to and how I can help kill this attack.

Thanks
Andy


#2

“Currently” for “five days” is somewhat cute :slight_smile:

What sort of attack is it?


#3

First, you can set your Security Level to “High” in Firewall, if you haven’t already done so. If “High” isn’t doing it, then set it to “I’m Under Attack!”

You can also try Rate Limiting under Firewall.


#4

Hi Sandro,
Thanks for getting back so quick. Its seems to be what’s termed as an email bomb, 17,000 requests through Cloudflare since last night! I only pointed the name servers to Cloudflare yesterday evening. One thing my host provider mentioned was that even though the name servers had been changed and were going through Cloudflare the IP address was still my host providers and the requests were simply going through Cloudflare and back to the original IP address, therefore solving nothing. Would this be because the name servers were still completing the changeover? I need to know this kind of stuff and whether I can do anything with the Cloudflare firewall which is already set an I’m Under Attack.


#5

That would be email related, in your case you seem get overwhelmed with requests, so that would be something different.

What your provider probably referred to is that you switched to Cloudflare’s nameservers but you did not switch the DNS hosts from :grey: to :orange:, thereby proxying all requests through Cloudflare and enabling their security layer. Basically requests still seem to go directly to you server.

The first thing you should is switch to :orange:, immediately afterwards you should try to get a new IP address.


#6

Cloudflare doesn’t proxy email. If it’s an email bomb, this is something you need to take up with your email provider.


#7

Currently I have three orange clouds in my DNS settings but the IP address is my original IP address. Meaning all three are going through Cloudflare but shouldn’t the IP address be different?


#8

The IP address where? In the control panel or when you resolve it? The former has to be your original IP address, the latter should be different.


#9

Its under Manage your Domain Name System (DNS) settings.
What I have in fact got here, is a grey arrow going through an orange cloud.
What do you mean by when I resolve it? I was under the impression that when I changed the name servers the IP address would change also?


#10

The IP changes if you set your records. Visitors or attackers will see two CloudFlare IPs instead of your origin.

Test is yourself on a terminal / command prompt:

nslookup your.domain.com

It should show two IPs from these blocks:

Make sure to set them all to :orange: regardless it it is mail, ftp or whatever. You will not receive mails as long as the according record is orange clouded. But it will stop your server being overwhelmed since only http/https will be proxied. If it works, take a deep breath :wink:

If the above nslookup shows CF IPs, all records are set to :orange: and the attack is still reaching your server, they are attacking your origin IP directly.


#11

Thanks Mark,
I’ve done what you suggested and I am presented with two IP addresses none of which are on either of the two CF blocks. its says Non-authorative answer: My domain name followed by an IP address x2.
I’m running terminal on a MacBook Pro.


#12

Also the two IP addresses are the same and not that of my host provider.


#13

Then it must be CloudFlare.

Run

whois ip.add.re.ss

In your terminal


#14

Ok Mark I entered whois ip.add.re.ss and got neither CF or my host provider but IANA? Am I supposed to enter the actual IP address in the command somewhere? Sorry I’m not at all savvy with this.


#15

Yes its CF I just ran whois and the ip and it came up with the net range for CF within which the ip fell.


#16

This topic was automatically closed after 14 days. New replies are no longer allowed.