DDOS attack on my site

I got email from my hosting

Hello!
Welcome to the Registrar of domain names REG.RU!
Your site has undergone an HTTP flood DDoS attack.
Requests to the site create a high load on the server, so we have limited
access to the site using a firewall.

Free DDoS protection only repels UDP, TCP and ICMP flood attacks.

As we can see, CloudFlare is already connected to your site, but their protection
skips requests. We recommend adjusting the traffic filtering settings
on the CloudFlare side.

What should I do ?

It would be interesting to have more stats on the actual traffic that arrived to your site. Do you have some analytics on Cloudflare and/or the hosting? Can you share them?

Also the host should block all IPs excluding Cloudflare’s (cloudflare.com/ips).

2 Likes

Was it attack period ?

Could be, yeah. You even have Under Attack Mode enabled. They really need to block all other IPs from direct access.

1 Like

Just an FYI, if the attack is going directly to the server (not through Cloudflare) it will not show up in Cloudflare analytics.

3 Likes

Why did CloudFlare not repel an attack and Hoster needed to close the site?

Because not all attacks are easily discernible from actual traffic, you need to configure the zone to your liking, block unwanted traffic and cache resources. DDOS can come in many different variations.

1 Like

If you expose or have previously exposed your origin IP address, attackers can target your server directly.

If that is the case, then please request a new IP address from your hosting provider, make sure that all the records that mention it are proxied in your Cloudflare dashboard and configure firewall at your host to only accept connections from Cloudflare IP ranges.

Otherwise, please contact Cloudflare support and we will do our best to help you out.

2 Likes

How to check it ?

If you see traffic to the server from outside Cloudflare it’s exposed, but it’s most likely been exposed.

Can DDoS-attack be to the certain IP address ?

There are multiple amount of sites on the same CloudFlare IP - could my site was hurted because this?

No, all IPs are basically the same. That wouldn’t be an issue…

To guess - what could be the reason to start attack to my site?

It is culinary site and I have no big business with its. I don’t believe that competitors can start it. The attack was occuring for 3 hours and stopped. And it did not hurt so much to my site. Now 3 days have passed from day of attack and new attack still haven’t been happening.

What intent had the person to start such small attack?

More seems it was an occasional blast.

The reasons behind a DDoS attack are most of the time unknown unless you are targeted by some noisy person. We have received plenty of DDoS attacks(hundreds) and only a couple of them we knew who was behind the attacks.

From the looks of your graph, it seems pretty obvious to me that it was not a peak on traffic but a DDoS attack.

The problem with Layer7 attacks is that they are too complex for an automated solution to filter them out of the box, any provider that claims to be fully automated from the start is lying.
Application attacks are very special and unlike Layer4, they generate “legitimate” connections, you can only “guess” which petition is legit by challenging the request or adding some sort of behavioral firewalling.
Cloudflare allows you to do this, however, if you are not a techy guy I would recommend you to read plenty of guides there are out there or simply hiring a system administrator who can probably set up your site to minimize the attacks you may receive in the future.

1 Like

Was it the second attack yesterday ?

Was it?

You could open the ticket to Support to understand the nature of attack and identify what could be done for the mitigation.

1 Like