Hi Hive Mind - hoping you can help shed some light.
Yesterday our site was hit with a DDOS attack (http flood) that Cloudflare mitigated in it’s normal fashion.
None of our users reported any issues and our own logs suggested that for the 5 minutes that some of the attack traffic got through, our site performance was only slightly impacted (avg. response time went from 0.5s to 4.5s)
However, this morning I’ve had two separate reports of the site being down (either completely unavailable or ajax calls reporting that they were unable to retrieve data).
We use the site ourselves and noticed no outage and there are no obvious alerts or errors in our logs.
One of these reports was from a London customer, the other location is unknown.
Looking at the Cloudflare traffic analysis, I can see I have two spikes of 429 Edge status codes around the time the outage was reported with only two ASNs affected - both of which are London based.
I’m on a Pro plan and the volume of the 429 responses in both spikes were sub 1k.
We have no rate limiting in place.
The total number of requests across the entire site for the 1 minute period of the larger spike was under 5k and the second smaller spike was around 3.5k
The site is an educational resource site on a school day with 10k different users a day accessing it globally so I’m not convinced that all that traffic came from a single user (on the off chance it triggered Cloudflare’s inbuilt rate limit - whatever that may be).
So three questions:
-
Am I correct in thinking that “Edge status codes” originate from Cloudflare rather than our origin servers? No 429 responses from Origin have been logged.
-
Does it seem reasonable to assume that the 429 spikes were the cause of an outage that seems to be specific to localised users?
-
What is the likely cause? Could this be down to increased sensitivity following yesterday’s DDOS, just normal Cloudflare behaviour (slightly worried if this is the case), another DDOS that’s not triggering the DDOS alert, or something more sinister?