DDoS attack still stopping website from loading - Is there something else I can try?

Hi,

I ended up adding in my Plesk Firewall two rules, the first is Deny incoming from all on all ports and the second rule was Allow incoming from Cloudflare IPs. I then rebooted my server and it seemed to be working at first but then the DDoS attacks crashed my website again. I ended up enabling Under Attack Mode but when I try to access my website after Cloudflare tries Checking your browser before accessing… I get redirected to the “Error 522 (Connection timed out)” page.

I’m new to using Cloudflare but I was under the impression that it protects against DDoS attacks, is there anything else I can try to get my website loading again.

The only traffic coming to my website should be coming from Cloudflare since I denied all other IPs in the Plesk Firewall so I’m not sure why my website isn’t loading.

Thank you!

Have a look at Responding to DDoS attacks – Cloudflare Help Center and Under DDoS Attack! First steps - Tutorial - Cloudflare Community.

If your origin IP has been leaked, which from your other posts it has as you weren’t always using Cloudflare, I’d change the IP(s) of my origin… being careful not to leak the new IP(s) via gray-clouds, etc. And ensure that the server is only accepting Cloudflare traffic, preferably, at your host’s network-level before even reaching your server.

Even if you’ve blocked other IPs, the network could get flooded, depending on the size of the attack and such if they know the origin IP(s). Cloudflare can certainly help to mitigate traffic that passes through its network but can do nothing for direct-to-origin attacks though.

1 Like

Thank you for the quick reply!

Yeah, I’ll double check to make sure my server is only accepting Cloudflare traffic to my current server IP address.

Yes, I reached out to my hosting at OVH to see if they can issue me new dedicated IPs for my domain that’s being attacked. My only issue is that my mail server for that domain is under the same IP address and I see that MX records show gray-clouds; so need to figure out a way to maybe set up a new mail server under a different IP address?

Thank you!

There’s an interesting CF Auto UAM script on GitHub that you may want to check-out. I don’t know the specifics of the attack that you’re receiving, but it’s an interesting tool in your arsenal nonetheless. It will automatically enable/disable Cloudflare’s UAM based upon the CPU load thresholds you configure for it.

Seems like the attackers are hitting your backend directly. Can you screenshot your Cloudflare analytics during the attack?

This is what it shows under my “Analytics” page in Cloudflare.

My website runs off CentOS with Plesk and under Plesk Firewall I added the following but it seems like it’s still not blocking direct access to my website when I use the IP address; so I think this is why Cloudflare still can’t manage this DDoS attack. I’m trying to figure out why Plesk isn’t denying all incoming traffic except from Cloudflare IPs…always something.

Thank you!

Yea, I’d think they’re hitting your origin directly in addition to the traffic routed through Cloudflare. Do you have other Allow firewall rules? Your second screen capture indicates 1–25 of 31 and multiple pages.

Aside from UAM, if you look at the firewall events log in Cloudflare, is anything being blocked/challenged?

Yes, I have other firewall rules listed in Plesk but I believe the ones listed first get higher priority. I was actually able to do the following in Plesk and now it seems that it shows “403 Forbidden (nginx)” if I try to access my website using the IP address; which is good.

However, the part I don’t understand is now if I try to access my website using the domain name I also receive “403 Forbidden (nginx)”. I thought that since Cloudflare’s IPs are allowed my server that it would load the website properly? I’m guessing it shows “403 Forbidden (nginx)” because my computer IP that I’m trying to access my site from isn’t listed as “allowed” in my Plesk configuration.

Am I misunderstanding setting this up properly to lock down my server to only allow Cloudflare IPs?

Where would I go to view the firewall events log in Cloudflare? I’m under the “free” plan, is that available?

Thank you!

From the Home of your Cloudflare dashboard, click the zone and then go to Security » Overview.

I ended up upgrading to Pro and I hired a systems admin freelancer to help me resolve this issue we configured my server to only allow Cloudflare IPs but now I’m just getting Cloudflare IPs flooding my server and they’re not doing a good job mitigating the DDoS attack. I opened a support ticket so hopefully they can provide some help on resolving this issue.

We integrated WAF and put different rules but doesn’t seem to have helped resolve this DDoS attck.

Thank you!

Consider reading the following:

Read this before enabling the bot protection:

1 Like

Ty for the article links…I’ll look these over and hopefully can help stop these DDoS attacks.

I received an email sent to my support ticket system where it seems like an Eastern European hacker group is targeting my website. They’re asking for $3K and say that my site would then be put on a “do not attack” list. I’ve ignored the email, I’m not going to give in to any ransom.

It sounds like this isn’t set up:
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

2 Likes

We blocked certain countries (e.g. Brazil, China, Russia, Taiwan, South Korea, etc.) that we saw a lot of the attacks coming from using the firewall rules but that means that no valid potential customers or current customers from these countries would be able to access my website?

Is there another option / approach to handle this to still allow valid traffic from these countries still through?

Thank you!

That’s exactly what the tutorial I linked earlier is for… if you are struggling to follow it, let us know, and we will try to guide you in the process.

1 Like

You could try changing the action of your country-blocking firewall rule from Block to Managed Challenge and let Cloudflare decide whether to challenge the request or not. This may or may not stop the bots, depending if they’re able to bypass the challenge or not, and whether Cloudflare even challenges the requests or not, but you could test it to see how it works in your situation though.

Thank you for the replies!

After reviewing the links in more detail we tweaked some more firewall/rules/etc. and it seems like the DDoS attacks have stopped now. We applied a “User Agent” mitigation and this seemed to really stop the attacks in their tracks. Still getting the hang of Cloudflare and all the ways that I can manually make changes to stop DDoS attacks but ty for your help and guidance in trying different techniques.

Ty!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.