DDoS still getting to my server even in Under Attack mode

Hi!
Just recently I’ve received a DDoS attack with requests as:

117.0.173.159 - - [28/Nov/2018:11:34:59 +0000] “POST / HTTP/1.1” 200 45162 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36”

and similar.
Even though I’ve turned on Under Attack mode, it still reached my servers.
OVH filtered it, but it bogged down the server a bit, to like 5.00 loads and some missed clients.

How can I prevent this in the future?

My server is configured to DROP all connections except CF’s IPs and mine.
Few outgoing connections are allowed but that doesn’t matter.

Tell me your recommendations:) thank you!

With the given details it is impossible to provide an exact answer, but there is a good chance they went straight for your server. If that is the case the only way to prevent this in the future is to change your IP address and make absolutely sure it does not leak anywhere.

But the server does not listen on httpd ports for non-Cloudflare ip’s. It’s disabled in my server’s firewall.
Or that’s not enough?
Thanks!

It does not matter what it listens on, if it is bombarded with packets it will saturate your bandwidth.

Well I think I was too impatient.
After turned off the Under Attack mode I wanted instant results.

Now still when I turn off UA mode, the POST / requests come thru.
When I turn on UA mode again, it takes 4-5 minutes for all POST / requests to disappear and legit traffic come thru…

Probably it’s a filtering delay or something I was not aware of.

Now when using UA mode the attack is mitigated, so server IP is not compromised. :slight_smile:

Thank you for your prompt response sandro

If you paused CF in the past, ip of your site can be recorded.

For example: you can check DNS history: https://www.virustotal.com/#/ip-address/

sometimes attacks they can pass the “I am under attack mode”

  1. enable rate limiting
  2. create firewall rules
  3. recaptcha challenge problematic countries where attack come from
  4. block ips in Access Rules

Yes, they have passed the under attack mode again with POST and GET requests.
What would be a good rate limit you’d recommend to not cause false positives but keep the DDoS attack off?
Thanks!

Its site specific… start from big value and lower it as much as you can, you can start trying challenge first (so even if legitimate traffic gets challenged its not that bad, and its a lot harder for bots to pass google recaptcha)

This topic was automatically closed after 30 days. New replies are no longer allowed.