DDOS attack prevention

Hello!

My website https://www.workandliveinchina.com/ is under DDOS attack, I have upgraded to Pro Plan to get additional security and firewall rules, but I want to know what else I can do to protect my website now and in future.

I am not very tech savvy in this thing, so would appreciate guidance or help since the issue is very critical.

Traffic screenshot within 24 hours - http://prntscr.com/o9vg7t
Countries the attack is coming from - http://prntscr.com/o9vhm3

The error I get is 503 message - http://prntscr.com/o9vhww

Thank you in advance.

For starters you can use the IP access rules to impose either a JavaScript challenge or a captcha challenge for these five countries.

Do you have log excerpts of these requests?

Thank you for fast response. Not sure if I have them, where exactly can I see the logs?

On your server. Can you post excerpts from your webserver logs?

I think I found them, here’s the screenshot - http://prntscr.com/o9vr26

You need the post the log lines.

My host provider says that on their side I will see only IP addresses of Cloudflare, not those which attacked. Can I see the logs somewhere in Cloudflare dashaboard?

172.68.11.173 - - [03/Jul/2019:00:00:17 +0300] “GET /wp-content/uploads/2019/06/the-great-wall-of-China-tourists-300x200.jpg HTTP/1.1” 200 13926 “-” “Mozilla/5.0 (compatible; YandexImages/3.0; +http://yandex.com/bots)”
172.69.55.190 - - [03/Jul/2019:00:00:43 +0300] “GET /wp-content/uploads/2018/12/Screen-Shot-2018-01-30-at-12.02.38-PM-1-1170x653.png HTTP/1.1” 200 1106984 “https://www.workandliveinchina.com/11-reasons-why-life-in-china-is-so-great/” “Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/17.3b15323 Mobile/15E148 Safari/605.1.15”
172.69.54.81 - - [03/Jul/2019:00:01:15 +0300] “GET /wp-content/uploads/2018/12/chinese-tea.jpg HTTP/1.1” 200 170417 “https://www.workandliveinchina.com/11-reasons-why-life-in-china-is-so-great/” “Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/17.3b15323 Mobile/15E148 Safari/605.1.15”
141.101.77.140 - - [03/Jul/2019:00:01:43 +0300] “GET /wp-content/uploads/2018/10/beijing-1400x788-1.jpg HTTP/1.1” 200 143126 “https://www.workandliveinchina.com/11-reasons-why-life-in-china-is-so-great/” “Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/17.3b15323 Mobile/15E148 Safari/605.1.15”
172.69.54.189 - - [03/Jul/2019:00:02:34 +0300] “GET /wp-content/uploads/2018/12/1440_Koh-Tao-beach-Thailand.jpg HTTP/1.1” 200 238704 “https://www.workandliveinchina.com/11-reasons-why-life-in-china-is-so-great/” “Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/17.3b15323 Mobile/15E148 Safari/605.1.15”
162.158.58.129 - - [03/Jul/2019:00:02:36 +0300] “GET /chinese-work-visa-uk-2019/amp/ HTTP/1.1” 304 0 “-” “Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
141.101.76.40 - - [03/Jul/2019:00:03:28 +0300] “GET /wp-content/uploads/2018/12/large_81d5a6bc-66e1-4562-9b85-2b2367f4766f-1860x1046-1170x658.jpg HTTP/1.1” 200 74140 “https://www.workandliveinchina.com/11-reasons-why-life-in-china-is-so-great/” “Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/17.3b15323 Mobile/15E148 Safari/605.1.15”

Are the requests with the user agent Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/17.3b15323 Mobile/15E148 Safari/605.1.15 the issue?

If so, you could block or challenge them with the user agent filter on Cloudflare.

I have done as you suggested, but looking through the log file I find different patterns: different devices, browsers and versions

Is there any other way to go about this?

162.158.89.205 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18”
141.101.69.81 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Opera/9.80 (Android; Opera Mini/12.0.1987/37.7327; U; pl) Presto/2.12.423 Version/12.16”
162.158.92.124 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 DejaClick/2.6.5.0”
172.69.226.89 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1”
162.158.91.229 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; Media Center PC 6.0) DMBrowser-BV”
141.101.88.34 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; Media Center PC 6.0) DMBrowser-BV”
108.162.229.166 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1”
162.158.90.240 - - [03/Jul/2019:08:35:20 +0300] “GET / HTTP/1.1” 503 3328 “https://www.workandliveinchina.com” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36”

first you need to get logs, since your servers is down your will need cf to assist you with this, the easiest way is to use https://logflare.app/ or worker

after that you can use all this tools to help against layer 7 attacks:

  • rate limiting
  • I am under attack mode(not working with api routes)
  • firewall rules
  • IP Access Rules
  • User Agent Blocking
  • full html caching
  • worker
  • countries based rules

Why do you think you are under DDOS attack, as opposed to just getting traffic. Looking at the log snippets, caching HTML should significantly reduce the request volume to the origin.

Doing this with Wordpress needs a little bit of care, but is easy on the pro plan. Plenty of resources in the Help Center.

Hence I asked your for the excerpt. You only provided one with aforementioned user agent. If that user agent is not the issue, you certainly shouldnt block it.

I think I am under DDOS because I am scammed in Skype and being asked 5000 US dollars so it stops. So the person doing this is messaging me on Skype and blackmailing. And I usually get not so many visits compared to 20+ million visits over the past couple of hours.

You need analyse your log files and find a pattern on which you can block these requests.

However, for starters you should enable “I am under attack”. Have you done that already? Does that stop the requests? Have you also implemented the access rules initially mentioned?

Yes, I have enabled the Under Attack Mode right away, but it did not help.

So far I decided to create Firewall Rules based on the AS Num and Country since I noticed that most of the requests came from the top 5 countries - http://prntscr.com/o9xw0l
I have added the country equals to “Country” and AS Num greater than 15000 to Challange (captcha)

I have also enabled Rate Limiting, but I am not sure if I did it correctly - http://prntscr.com/o9xxbh
I created a rule: Blocking IPs exceeding 80 requests per minute for 1 hour

Do you think these measures will be enough for the protection?

If that mode does not help, it either means they manage to pass the JavaScript challenge or attack your server directly. If it is the latter none of the Cloudflare settings will make a difference. You will need to make sure that your server is not accessible from anywhere but Cloudflare.

How do I actually do that?
I assumed this in the beginning, but my hosting provider is just sending me to ask questions to Cloudflare since the requests go through Cloudflare IPs.

I also found this YouTube guidance, do you think it is relevant and this is what should be done?