A DDoS was attempted against my website, but it was neither detected or mitigated
What steps have you taken to resolve the issue?
Context: Yesterday an attacker sent 2.8 million requests to my website in a extremely short amount of time causing 406GB of traffic, however I don’t see evidence of the network traffic from my Cloudflare panel and it wasn’t mitigated. I only saw the bandwidth and network requests on my service that is behind Cloudflare.
I looked around the panel and checked my settings, but based on the graphs, the network activity wasn’t detected.
What are the steps to reproduce the issue?
I don’t know how the DDoS was performed, so I don’t have a suggestion.
Image: for the last 7 days, the dashboard only shows 200KB of traffic.
Thanks for the information!
Based on my DNS settings, they are all flagged as proxied as per the guidance in your the “Protect your origin server” Also as mentioned the attacker claimed to have DDoS’d Cloudflare IP instead of the IP of my origin server.
The screenshot only shows the attacker checking the status of your server through Cloudflare IPs, the attack could still have been direct to your origin. As you don’t see the traffic in the Cloudflare dashboard, that is the likely route. You should secure your origin anyway otherwise it’s trivial to bypass Cloudflare by attacking your origin directly.
That is a good point, thank you. Thanks for the feedback so far.
I’ll see if I can get more context from my provider of the origin server.
However, I don’t understand what I need to do differently to protect the origin server.
The article recommends
(1) proxying records, which is what I’ve done, (unless I misunderstand the indicators, but they appear correct
(2) I have reviewed DNS records, there is no exposure of the origin server IP
(3) I have no mail infrastructure
(4) I suppose it is theoretically possible they could have found the DNS name prior to me registering my new domain with Cloudflare, so I may explore the option of rotating the origin server IP.
If you have any additional resources to suggest, I’d be happy to review them as the DDoS prevention was a reason I chose to use Cloudflare and if there is more preventative measures I can take, I want to be sure to take them.
You should follow the guide @sjr pointed. You could use the Authenticated Origin Pulls approach or at least HTTP Header Validation:
And is a good idea to ask your host to rotate and give your new IPs. And avoid doing things like pausing Cloudflare and don’t expose your IP to services to try connecting directly (If you haven’t, it’s just a reminder).
One of the best, would be to use Cloudflare Tunnel, but you would need greater control over the server and extra knowledge. You could use Oracle for that, since you can have a free VPS with them.
Once you had protected your origin, it’s best to take some time to learn how to configure a proper WAF for your needs and you can harden and change some of your DDoS settings, create rate limitings rules and block Cloud and Hosting ASNs since they’re the most type used to perform not only DDoS but other types of attacks.
