Ddos atack

My site is under ddos atack.

cause after i enabled under attack mode. site load was going lower, but now a new waveis going , site still is in under attack mode, but load is very high

I set to block country’s from which attacks are going,
like country - finland
OR country - netherlands
and set rule to block…
Is it right to set - OR, or better to set AND between coutries?

Can you give some advice how to better set rules , etc

thx im looking there right now

But where I can find Requests by source, usera agents and ASN’s ???

i have 20 mil threats in 24 hours…
400% CPU load

under atack mode helped at first… but last two days load is very high…
Do I need to set rules as in topic you gave, when Under atack mode is active?

ps. I have one rule to block entire countries from where atacks are going, not helping much now

The requests are reaching your server even with UAM active? UAM isn’t necessarily a one-click DDoS mitigation, but it can help a lot though.

However, ensure that your DNS records are proxied (orange cloud) and that your server only accepts requests from Cloudflare IPs. Otherwise, if they know the IP address of your origin server, they can attack it directly and bypass Cloudflare altogether.

What plan are you on?

DNS are proxied - they are orange

UAM is helping - If I disable it , then site is down quickly. So i dont think they now origin IP|

At this moment with UAM ON - site is working , but slow, cause server got 20 mil requests to it in 24 hrs

I also added rules - to block traffic from that countries (rule looks like - "block France OR Finland OR "etc… I asked already, maybe I need to block like this “France AND Finland AND”

Do i need to set firewall rulse like this with UAM active?

free plan

If you want to block requests from various countries, either use multiple Country fields with OR between them or combine all the countries into a single IS IN firewall rule. For example, below are two different ways of doing the same thing with a firewall rule.

Using OR and multiple Country fields:

(ip.geoip.country eq "FI") or (ip.geoip.country eq "FR") or (ip.geoip.country eq "NL")

Using a single IS IN Country field:

(ip.geoip.country in {"FI" "FR" "NL"})

Both rules would match the same requests, but I find the IS IN type easier to manage.


The guide that I made focuses on the Pro package and over because it makes it easier to mitigate attacks thanks to the overview tab on the security section.

I might consider making one that uses the free plan in the future, however, if you are facing a somewhat big attack, I’d upgrade to the Pro plan just so that you are able to see exactly what the malicious requests are doing.

1 Like

thx but i cant pay for pro right now, card isnt working

Can you go to the security tab → Overview and provide us with a screenshot of ~6 events that have any action that isn’t allow?

can i disable UAM challenge for all ip’s from my internet provider?

all are similar

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.