Lately I have faced some flood attacks which bypass cache and DDOS protection.
The attacker used urls with random query params, like 40k requests in 30 minutes.
I use WordPress and cannot effectively cache or strip query params without affecting functionality.
Please advice, how to protect my site? Why DDOS protection didn’t work?
Hey! Thanks for creating a post here in the Cloudflare Community - we will do our best to help
That’s the issue. 40,000 requests in 30 minutes amounts to only around 22 requests per second, which can hardly be considered a DDoS attack. From my experience, DDoS protection kicks in at a few thousand requests per second.
Could you please give an example URL where search parameters are required? It might be possible to create a URL rewrite rule that helps prevent cache busting.
Can you follow this guide and let us know with any question you have afterwards? Providing us as much information as possible is critical to help understand the attack better, the only pattern we know so far is that it attacks random paths/queries of your site.