DDoS attack from multiple IPs, Multiple Countries, Multiple Paths

DDoS attack from multiple IPs, Multiple Countries, Multiple Paths on our Website. But attack is from Genuine Linux/ Windows machine (User agent mentioned below).

  1. We have RateLimit enable for 500hit/min ALLOW. But all this hits around 200-300/min, so it passes the RateLimit filter.
  2. Bot Modes are set to CAPTCHA already.
  3. WhiteListed only Cloudflare IPs to Origin server.

How can we detect and block such hits from genuine Linux/ Windows machine ???

Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Mozilla/5.0 (X11; Linux x86_64)

Can you show the WAF > Overview as well as a random sample of malicious events (10 ideally).

Are they solving the Captcha and JS Challenge?

U can see in image that we get 24.7K hit from Windows machine from US. And this kind of hits are not getting blocked from WAF. Neither BOT filter blocking. and not RateLimit filter blocks this, due to this hits from different IPs. [And we connot Block Windows users and neither we can block whole US].

We can see here 99.61K hits from different countries within 15 mins time frame, uses windows machine. Attacker uses multiple IPs, multiple countries, genuine windows machine to attack.

Have you tried the Under Attack mode?

You can see Multiple IPs, and hits are within 100/mins, RateLimit Filter will also wont work.

We cannot keep ENABLE “Under Attack Mode” always I guess. It will block our Google Ads(Genuine bots).

To be completely fair, is it really an issue? You have a few thousand of events in what seem to be 30 minutes. I don’t tink that any server should have issues with that much traffic even if it all goes through Cloudflare.

The UA seems to be static and the ASNs that are throwing the attack are also limited so, you could try blocking that if its an actual annoyance.


few thousand?? I have attached the complete traffic logs, its around
181.52K. This many traffic enough to make our DB server down.

From those traffic logs it looks like you could try blocking AS203020 HOSTROYALE (unless you know you have legit traffic coming from there).

But that’s more a stop-gap solution until you can figure out a method of blocking them based on behavior or something else more common.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.