DDoS: Layer 7?

Hello,

First of all i want to greet all Cloudflarers and i am new on this community :slight_smile:

Few infos about my system:

  • Plesk Onyx
  • nginx (reverse proxy) + apache
  • Cloudflare FREE! befor all websites hosted on my server
  • mod_Cloudflare installed
  • fail2ban installed

Now to my problem:

  • I have some kids that have joy to do DDoS (GET) on one of my communities , this is a botnet because the ā€œattackersā€ donā€™t come from a single IP but that are many many different IPs arround the world.

Cloudflare canā€™t stop them because it thinks that they are legitime traffic.

Now my question:
What can i do to stop that?

The only way i have found at this point is to enable ā€œCAPTCHA CHALLANGEā€ for amost all countrys so the botnet have no chance to reach the webserver.

What can i do else without challange solution?

Thanks in advance.

I would recommend looking for a pattern in the malicious requests. For example, one of my sites was recently a target of an attack that utilized loads of Wordpress sites. I was able to just block the Wordpress user-agent in Nginx as thereā€™s no reason my site should need to handle Wordpress requests.

1 Like

Yes one way is via user agent rate limiting and/or blocking - not entirely accurate as these bots can change their user agents but itā€™s a start.

For my Centmin Mod Nginx LEMP users i have a rate limit and/or bad bot blocking setup outlined at https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/ which allows you to either allowlist a user agent, or rate limit it or block it at Nginx level. I had another script I wrote to pass on those user agents ips to my CSF Firewall for firewall level blocking too. You can also script it to pass the ips to Cloudflare end via API.

Worked well as my Linode VPS was handling the DDOS layer 7 attack easily but Linode saw the increased network traffic as not acceptable so they null routed the VPS despite my VPS smoothly sailing through the attack with my user agent based blocking at nginx level https://community.centminmod.com/threads/forum-ddos-attacked-linode-null-routed.7045/. Thatā€™s the issue with doing DDOS layer 7 based protection yourself, your server might be able to handle the load but whether itā€™s acceptable by the web host in doing so is another matter all together. So I had to come up with my own solution which is set a DDOS protected IP VPS server to setup a GRE tunnel so all traffic to my Linode origin flow through my DDOS protected IP VPS server (500Gbps protection) + have Sucuri Cloudproxy on frontend for Layer 7 DDOS protection and Amazon SES for emails. DDOS protected IP VPS GRE tunnel + Sucuri adds an extra US$32/month to my costs.

Been thinking about Cloudflare Tips for migrating DNS from AWS Route53 to Cloudflare? - #3 by eva2000 but for full DDOS protection youā€™d have to bump up to Business plan at $200/month. Probably the next level.

One of my Centmin Mod users also wrote a guide for using Nginx lua, Redis server, fail2ban to rate limit and ban requests that would work behind Cloudflare https://community.centminmod.com/threads/how-to-limit-requests-and-ban-those-hitting-the-limit.7185/. Nginx would need to have Lua Nginx module support which my Centmin Mod Nginx server has optional support for and youā€™d need to install Redis server. Havenā€™t used it myself though. Again, while you may get your server to a certain extent to cope with a DDOS attack, whether the web host finds it acceptable is another matter altogether!

Maybe other folks have tips as well :slight_smile:

1 Like

Hello,

Thanks for your replys, i have try a lot but the only thing that helps is the Cloudflare captcha.

The useragents and IPs change every attack so i can not block them over that.

Donā€™t know what else to do.

Hey!

Welcome to the community first off.

Here are some steps Iā€™d take to minimise the impact/stop the attacks from reaching your backend.

  • First off, move all your assets to a (sub)domain/directory where you can enable aggressive caching, this will remove extra requests such as CSS and JS resources.
  • Enable ā€˜Iā€™m under attack!ā€™ under Cloudflareā€™s settings, this will require all new users to wait 5 seconds before entering the site, and will cut off the majority of the botnets.
  • Get a few of the IP addresses, use https://bgp.he.net/ip/, and then check the ASNs between then (theyā€™ll be like AS##### or AS######), if theyā€™re the same, you can just block that ASN from your website. This article should help with that: https://support.cloudflare.com/hc/en-us/articles/217074967-How-do-I-control-access-to-my-site

Hope this helps,

  • James
1 Like

Hi,

  • I can move them to other directorys because thats a forum-software that can not be customized this way.
  • ā€˜I"m under attackā€™-Modus i have tried before, this have bring nothing in this case.
  • the AS-Number are always others because the botnet is very big and have many many locations and IPs.

As mentioned before the only thing that helped was the captcha feature.

Are you sure that all that ā€œddosā€ traffic goes by Cloudflare?

Sure, i have Cloudflare enabled for that domain 'not grey cloud".

Hi there,

There have been some good ideas pitched here already on how to resolve this issue. Restoring the visitor IP in your access logs and then using that information to set block/captcha IP firewall rules is a good way forward.

If you do not want hinder your visitors with a Captcha or block message, you can look at using our new Rate-limiting feature.

https://support.cloudflare.com/hc/en-us/articles/235240767-Cloudflare-Rate-Limiting

You can then set rate-limit rules on the URI requests you are seeing lots of requests against in your access logs, and CF will rate-limit when an IP hits a defined threshold.

2 Likes

Thanks but this does not help because its a botnet with many different locations and IPs not from a single IP.

If it was a single IP it was easy but not in this case

Rate limiting should help just fine. And I believe that ā€œIā€™m under attackā€ should help too which is quite unusual that it doesnā€™t work for you.

Rate limiting only helps when the attackers come from one single IPā€¦

ā€œI"m under attackā€ has been tested during an attack and has not helping to prevent, only captcha until now.

Only the Iā€™m under attack! mode can help you on Free plan.
Or upgrade to Business plan.

As written before, ā€œIā€™m under attackā€ doesnā€™t help only captcha on free plan.

So just how many different IPs ā€œattackā€ your website?

Few thausend different IPs that changed daily.

I have tried a lot and even everything , only captcha helps because many zombie pcs and thats because captcha helps.

Yeah some DDOS attacks now can even bypass Cloudflare Iā€™m Under Attack Mode.

Donā€™t think im stupidā€¦ Thats the first i have tried and it donā€™t has helped in this caseā€¦

Ok so hereā€™s the deal. Iā€™m not trying to be jerk but Iā€™m trying to understand your problem better.

  1. The only way to block ā€œattackā€ is to show captcha to the client
  2. There are many different IPs (few thousand) - generally speaking I wouldnā€™t count that number as ā€œmanyā€
  3. Rate limiting wouldnā€™t work so I guess that each IP does little of requests
  4. I assume that these IPs are not mainly from one country (for ex. popular China)
  5. You didnā€™t state what kind of forum software you use neither you said what kind of hardware you use
  6. I assume you donā€™t use any kind of cache layer for that forum

So we can safely label your case as ā€œsometimes I get high volume of traffic which makes my site/server unresponsiveā€.
Personally I wouldnā€™t call that kind of traffic an attempt of DDoS.

Now as of solutions. Because this kind of traffic is highly similar to typical traffic I donā€™t believe you can expect Cloudflare (meaning services they offer) to do anything in that case. The only thing I believe you can do (assuming you donā€™t want to spare $ on it) is to try to make software more optimized (like caching of dynamic content + proper cache invalidation) so your hardware can actually endure that kind of traffic.

4 Likes

Its a layer 7 attack from a botnet :slight_smile:

I let captcha on and problem is gone but as free user it does not look well :smiley: