DDoS protection doesn't block simple attacks

Hi.
I am with the free tier, mostly out-of-the-box configurations. I did change the ruleset to “I’m under attack!”.

Cloudflare DDoS protection doesn’t block simple attacks on my website’s like repeated requests from the same IPs. Thousands of them in a manner of seconds.

What am I missing?

Where are you seeing this? If you’re in “I’m Under Attack” mode, all visitors should get a challenge page. If they pass the challenge page, they shouldn’t get another one until the challenge passage interval (configurable but probably 30 minutes by default) has expired.

Also one IP does not equal a “distributed” DoS attack

You could look into Rate Limiting but it’s a premium feature

I see the traffic going into my website’s nginx and taking it down for too many requests:

2022/08/03 20:07:42 [error] 126870#0: *333594 connect() to unix:/run/php-fpm/www.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 23.129.64.141, server: ..., request: "GET //?440791769207685795XRM971748827726894217l HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "...", referrer: "..."

Making many requests per second isn’t enough indicator to diagnose that an IP is malicious.

It might be for your usecase, however, for example, one of our sites receives as much as 20k queries per second from a single IP, all while being legitimate traffic.

Cloudflare has to make a global service that accommodates for all use cases, thats why the standard protection might not work as you’d like in some scenarios. The best thing you can do is:

  1. Tweaking the firewall rules to suit your needs.
  2. Enable rate limit for the endpoints where you have a clear overview of the expected requests per second.

I recommend checking the guides on the community so that you can tune Cloudflare up to your needs.

2 Likes

Are you certain that traffic actually came through Cloudflare? It’s not a Cloudflare IP, are you logging based on the CF-Connecting-IP header instead? Logging based on CF-Connecting-IP is fine but I still like to be able to tell if the traffic came through Cloudflare or not so I also log other headers such as cf-ipcountry, that way if I see a blank in that field I know the traffic didn’t come through Cloudflare

Was the “host” header one of your actual websites or was it just your IP address? If it was just your IP then they definitely bypassed Cloudflare. If it was a real hostname, they might still have bypassed Cloudflare unless you’re protecting yourself in some way such as Authenticated Origin Pulls

You should definitely look into Authenticated Origin Pulls if you’re not using it already; if anyone tries to bypass Cloudflare it’ll die during the SSL handshake before it even hits your main web server process

2 Likes

thank you, @user4358 . I wasn’t aware of all of this, and apparently not all traffic went through Cloudflare! so this helped

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.