DDoS attack from multiple IPs, Multiple Countries, Multiple Paths

arshid · August 1, 2022, 12:24pm

DDoS attack from multiple IPs, Multiple Countries, Multiple Paths on our Website. But attack is from Genuine Linux/ Windows machine (User agent mentioned below).

We have RateLimit enable for 500hit/min ALLOW. But all this hits around 200-300/min, so it passes the RateLimit filter.
Bot Modes are set to CAPTCHA already.
WhiteListed only Cloudflare IPs to Origin server.

How can we detect and block such hits from genuine Linux/ Windows machine ???

Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Mozilla/5.0 (X11; Linux x86_64)

jnperamo · August 1, 2022, 12:34pm

Can you show the WAF > Overview as well as a random sample of malicious events (10 ideally).

Are they solving the Captcha and JS Challenge?

arshid · August 2, 2022, 9:09am

U can see in image that we get 24.7K hit from Windows machine from US. And this kind of hits are not getting blocked from WAF. Neither BOT filter blocking. and not RateLimit filter blocks this, due to this hits from different IPs. [And we connot Block Windows users and neither we can block whole US].

arshid · August 2, 2022, 9:21am

We can see here 99.61K hits from different countries within 15 mins time frame, uses windows machine. Attacker uses multiple IPs, multiple countries, genuine windows machine to attack.

soldier_21 · August 2, 2022, 10:21am

Have you tried the Under Attack mode?

arshid · August 2, 2022, 11:55am

You can see Multiple IPs, and hits are within 100/mins, RateLimit Filter will also wont work.

arshid · August 2, 2022, 12:37pm

We cannot keep ENABLE “Under Attack Mode” always I guess. It will block our Google Ads(Genuine bots).

jnperamo · August 2, 2022, 1:34pm

To be completely fair, is it really an issue? You have a few thousand of events in what seem to be 30 minutes. I don’t tink that any server should have issues with that much traffic even if it all goes through Cloudflare.

The UA seems to be static and the ASNs that are throwing the attack are also limited so, you could try blocking that if its an actual annoyance.

arshid · August 2, 2022, 1:52pm

few thousand?? I have attached the complete traffic logs, its around
181.52K. This many traffic enough to make our DB server down.

mcfadyeni · August 2, 2022, 2:23pm

From those traffic logs it looks like you could try blocking AS203020 HOSTROYALE (unless you know you have legit traffic coming from there).

But that’s more a stop-gap solution until you can figure out a method of blocking them based on behavior or something else more common.

system · August 17, 2022, 2:24pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Captcha-solving Botnet Security	3	1076	April 18, 2024
DDOS Attack from thousands of USA IP's Security	6	2568	April 1, 2021
Ddos is not stopping, I have tried several ways Security	3	1893	August 6, 2022
Firewall being bypassed (Captcha, JS Challenge, Block) Security	9	7469	March 30, 2020
DDOS attack via Cloudflare network, "Under attack mode" not working Website, Application, Performance	10	1133	November 1, 2023

DDoS attack from multiple IPs, Multiple Countries, Multiple Paths

Related topics