DDoS / Bot Blocking Options

We had a bot probing our site for about 10 hours today (all manners of attempts). All told it was something like 600k requests were blocked before we added an IP block to stop them all (approaching 800k requests blocked now, but everything is blocked right now).

For comparison, yesterday we had 98k total requests to the site (only a few hundred tripped up any Firewall rules). Total we’re at about 1.2M requests total. Of that we have about 800k blocked, so I can estimate maybe 300k+ (bad bot) requests made it to our origin server.

My questions:

  1. This IP was blocked in some WAF rules automatically For example:

Is there a way to use this as a basis for initiating an IP block? If a single IP is triggering 10k SQL injection attempts (in total Managed rules blocked this IP 169k times today), it’s probably a bad guy… It seems like this should trip something that forces this IP to be blocked, or at a minimum to require a Challenge for some period.

  1. I set up rate limiting today as a precaution. Is there a better way to handle this situation? This is another added cost, which although not massive, it will inch our CF bill higher still.

  2. I also enabled today " Super Bot Fight Mode", but it sounds like this should not stay enabled long term? The only thing I enabled was the “Definitely Automated” to use a Managed Challenge. I left Verified bots set to Allow, and left Static resource protection and JS Detection disabled.

I was doing some more reading this morning and noticed there is the “Security level” setting in Security > Settings. This is already set to Medium, with Challenge Passage set to 30 minutes (I believe these are both the defaults).

What I don’t know however is what the Threat Score was for this IP. It seems that they should have been getting at least paused/delayed with the challenge, but maybe every 30 minutes they were getting it and bypassing it, then the bot continued on?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.