First of all i want to greet all Cloudflarers and i am new on this community
Few infos about my system:
Plesk Onyx
nginx (reverse proxy) + apache
Cloudflare FREE! befor all websites hosted on my server
mod_Cloudflare installed
fail2ban installed
Now to my problem:
I have some kids that have joy to do DDoS (GET) on one of my communities , this is a botnet because the āattackersā donāt come from a single IP but that are many many different IPs arround the world.
Cloudflare canāt stop them because it thinks that they are legitime traffic.
Now my question:
What can i do to stop that?
The only way i have found at this point is to enable āCAPTCHA CHALLANGEā for amost all countrys so the botnet have no chance to reach the webserver.
I would recommend looking for a pattern in the malicious requests. For example, one of my sites was recently a target of an attack that utilized loads of Wordpress sites. I was able to just block the Wordpress user-agent in Nginx as thereās no reason my site should need to handle Wordpress requests.
Yes one way is via user agent rate limiting and/or blocking - not entirely accurate as these bots can change their user agents but itās a start.
For my Centmin Mod Nginx LEMP users i have a rate limit and/or bad bot blocking setup outlined at https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/ which allows you to either allowlist a user agent, or rate limit it or block it at Nginx level. I had another script I wrote to pass on those user agents ips to my CSF Firewall for firewall level blocking too. You can also script it to pass the ips to Cloudflare end via API.
Worked well as my Linode VPS was handling the DDOS layer 7 attack easily but Linode saw the increased network traffic as not acceptable so they null routed the VPS despite my VPS smoothly sailing through the attack with my user agent based blocking at nginx level https://community.centminmod.com/threads/forum-ddos-attacked-linode-null-routed.7045/. Thatās the issue with doing DDOS layer 7 based protection yourself, your server might be able to handle the load but whether itās acceptable by the web host in doing so is another matter all together. So I had to come up with my own solution which is set a DDOS protected IP VPS server to setup a GRE tunnel so all traffic to my Linode origin flow through my DDOS protected IP VPS server (500Gbps protection) + have Sucuri Cloudproxy on frontend for Layer 7 DDOS protection and Amazon SES for emails. DDOS protected IP VPS GRE tunnel + Sucuri adds an extra US$32/month to my costs.
One of my Centmin Mod users also wrote a guide for using Nginx lua, Redis server, fail2ban to rate limit and ban requests that would work behind Cloudflare https://community.centminmod.com/threads/how-to-limit-requests-and-ban-those-hitting-the-limit.7185/. Nginx would need to have Lua Nginx module support which my Centmin Mod Nginx server has optional support for and youād need to install Redis server. Havenāt used it myself though. Again, while you may get your server to a certain extent to cope with a DDOS attack, whether the web host finds it acceptable is another matter altogether!
Here are some steps Iād take to minimise the impact/stop the attacks from reaching your backend.
First off, move all your assets to a (sub)domain/directory where you can enable aggressive caching, this will remove extra requests such as CSS and JS resources.
Enable āIām under attack!ā under Cloudflareās settings, this will require all new users to wait 5 seconds before entering the site, and will cut off the majority of the botnets.
There have been some good ideas pitched here already on how to resolve this issue. Restoring the visitor IP in your access logs and then using that information to set block/captcha IP firewall rules is a good way forward.
If you do not want hinder your visitors with a Captcha or block message, you can look at using our new Rate-limiting feature.
You can then set rate-limit rules on the URI requests you are seeing lots of requests against in your access logs, and CF will rate-limit when an IP hits a defined threshold.
Rate limiting should help just fine. And I believe that āIām under attackā should help too which is quite unusual that it doesnāt work for you.
Ok so hereās the deal. Iām not trying to be jerk but Iām trying to understand your problem better.
The only way to block āattackā is to show captcha to the client
There are many different IPs (few thousand) - generally speaking I wouldnāt count that number as āmanyā
Rate limiting wouldnāt work so I guess that each IP does little of requests
I assume that these IPs are not mainly from one country (for ex. popular China)
You didnāt state what kind of forum software you use neither you said what kind of hardware you use
I assume you donāt use any kind of cache layer for that forum
So we can safely label your case as āsometimes I get high volume of traffic which makes my site/server unresponsiveā.
Personally I wouldnāt call that kind of traffic an attempt of DDoS.
Now as of solutions. Because this kind of traffic is highly similar to typical traffic I donāt believe you can expect Cloudflare (meaning services they offer) to do anything in that case. The only thing I believe you can do (assuming you donāt want to spare $ on it) is to try to make software more optimized (like caching of dynamic content + proper cache invalidation) so your hardware can actually endure that kind of traffic.