DDoS Attack and WAF rules set up

I have been under a DDoS attack for a few weeks now. I have tried setting up under attack mode, but the site seems to go down. I have also tried setting WAF rules but my Google Adds were affected. Ive created a rule tas follows: (not cf.client.bot and cf.threat_score gt 15) receive a JS Challenge. I have the Challenge Passage set to 1 day.

Now my concern is that this might affect APIs, or if they have another type of bot working that isn’t allowlisted.

I have a few questions about my custom rules after researching a bunch.

  1. Can/Do DDoS attacks use known or “verified” bots to overload servers? Or if I have my rule set to allow known bots but JS challenge all others, should that be sufficient to ensure that the DDoS Attack is managed?
  2. I have Challenge Passage set to 1 day. This is to not bother real users. Is this an ok time span under a DDoS attack or should I set it to less than this?
  3. Do I need to set up anything else to ensure APIs aren’t affected?
  4. Would rate limits help me to minimize and mitigate attacks?
  5. Can someone tell me how to see all traffic that is coming in so I can filter for the types of bots that are trying to access Cloudflare servers?

I am under the impressions that my custom rules are too broad at the moment and my goal is to do a search, find commonalities in the attacks, and then create more specific custom rules. This would be to reduce the amount of requests that must undergo the JS Challenge and ensure that my rules aren’t fixing one thing and breaking another. I also want to make sure that allowing cloudflare known bots “verified bots” doesn’t leave a backdoor for bad actors.

Wow! I am sorry to hear this :confused:

A bit helpful article:

1 Like

Thank you for your assistance.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.