DDOS attack via Cloudflare network, "Under attack mode" not working

We are experiencing a DDOS attack on our site odjeca.hr with more than 1.000 requests per second. All requests are coming from IPs belonging to Cloudflare. Our CF setup has several protections of DDOS prevention including managed challenge with ruleset sensitivity high, bot fight mode, threat score based WAF rules and Bot protection mode. Desipte this, the attack still happened and is ongoing as I write this.

We noticed that most of the requests are coming from CF IP adresses in Singapore (which are surely attacks as the site has no audience there), so we blocked the country in WAF (sshot below) but it didn’t help, we can still see request coming from CF IP adresses in Singapore.

We have then enabled “Under attack mode”, but this didn’t help, and when we try to access the site, there is no JS challenge.

We have setup a WAF rule to block all threats with threat score greater than 5, it didn’t help either.

We have setup a WAF rate limiting rule which blocks an IP if there were more than 50 requests in 10 seconds, it didn’t help, the attacks just keep coming.

Seems like no measure we take is working and CF protections are not working as expected.
The fact that the “Under attack mode” is not working is deeply concerning.

Any idea how to solve this?
Is there a problem in the CF infrastructure, or we have setup something wrong?

Additional sshot, Under attack mode enabled:

Additional sshot, example of CF IP adresses from Singapore from which the attacks are comming:

If none of your rules / settings have any effect, you are probably not in the CF account that manages your site.

When you got to https://dash.cloudflare.com/?to=/:account/:zone/dns/records, do you see Karl and Carol as your assigned nameservers?

Otherwise, is your host maybe using Cloudflare? In that case, their settings would overrule yours.

1 Like

That sure looks like your server hasn’t been configured to Restore Visitor IP addresses:

Get that configured correctly, and you’ll start getting accurate information for the source of the attack.

2 Likes

That’s a Cloudflare IP address, not the visitor IP address. You need to restore the visitor IP as @sdayman mentioned to understand where the visitor was actually coming from.

2 Likes

I’m 200% sure I’m in the account that manages my site, plus it’s visible in the second sshot I provided that the site is odjeca.hr.

Karl and Carol are our assigned namesrevers, here’s a sshot of our DNS setup:

Thank you for the info, we’ll try th suggestion from @sdayman .

But this doesn’t seem related to “Under attack” mode not working, nor to other protections being bypassed. E.g. the “Under attack” mode is still enabled as we speak, but if you visit the odjeca.hr website now, you’ll see there’s no CF interstitial page shown.

Any idea about why is this happening?

Thank you for the info, we’ll try your suggestion.

But this doesn’t seem related to “Under attack” mode not working, nor to other protections being bypassed. E.g. the “Under attack” mode is still enabled as we speak, but if you visit the odjeca.hr website now, you’ll see there’s no CF interstitial page shown.

Any idea about why is this happening?

Under Attack Mode is a “Security Level” setting. If you have a Page Rule that also sets this, that may override your Under Attack Mode.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.