Disabling "Under Attack Mode" crashes site instantly

Hello,

since several days i need to keep my website in the “Under Attack Mode”. Everytime i disable the mode i get overflooded with requests and my server crashes. It is resolved as long as i am in “Under Attack Mode”. First i thought i get spammed by webcrawlers - however this is not the case since i am in this mode for 3 days. Would a DDoS normally last that long? And shouldnt Cloudflare safe me anyway even without the Attack Mode? What could i do to resolve? Or to investigate? My first thought was the web-crawler but this might be false since crawlers would reduce their crawlrate after a time.
Where should i start to find the root of this problem?

Thanks!

We have had DDoS attacks last an entire month for the sake of ramping up billing on bandwidth and others, so… yeah, it’s normal.

Unless the attack is crafted very poorly, request inspection is typically not enough to block an HTTP/HTTPS attack; CF must challenge the browser in one way or another.
Alternatively, you could rely entirely on rate limiting, many people do this, and it’s fine in many cases.

Cloudflare PRO gives a good starting point, the free plan lacks of ways to visualize the data.

Consider reading the following:

If you are on the free plan and decide to upgrade to pro, read this before enabling the bot protection:

3 Likes

Thanks already!

I am Pro-Member. I will look up your links.
I checked the first article and found something strange. Most Browsers and Operating Systems from Requests are unknown. Is it possible to block this? I mean any legitimate user of my site should provide this information.

Look at the user agents that carry most of the requests, it’s likely they are using invalid user agents and thus, the browser/os is unknown.

They have also a “unknown” section.
Bild_2022-04-21_231114037

It is also really odd that my analytics page does not shown any jump in traffic when i disable the “Under Attack Mode”. It looks like Cloudflare does not even register it and the requests come from Cloudflare itself. Which should not happen since my site is almost to 97% cached.

Might the UA be using unicode values, or is it just empty? Do you have browser integrity checks enabled? I find it shocking that CF lets those UAs go through.

Analytics show all traffic whether if it was blocked or not

checked the div and its empty so i guess its empty.
Browser Integrity Check is enabled.

The Traffic from my Screenshot however is normal traffic which my server can handle.
Thats the strange thing: as long as “under attack mode” is on, all works perfectly fine. Once deactivated, server crashes (gives 503 errors so no real “crash”). Can reproduce it very easily. Happens every time.

Unkown or missing UA? WAF 100001 rule can cover missing UA if you enable it, it’s not enabled by default and WAF 100004 for missing or empty referer

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.