DOS attack

My website is still down as we’re in the middle of DDOS attack unpaid for the business package and enabled under attack mode but nothing has changed any ideas?

Best approach is here, Mitigating an HTTP DDoS Attack manually with Cloudflare

I tend to check the event log, https://dash.cloudflare.com/?to=/:account/:zone/security/events to find the offending traffic and then start with a challenge to that traffic, or a block if you prefer to simply stop the attack. After that, I tend to refine the rules I create to block the attack traffic and not impact other good traffic. Let us know how it works out and if you need more advice.

Thanks yeah these guys are determined but I have blocked about 25 up addresses but a lot are in an ip range.

Does this look right? I originally typed 2a0a:1f46::/32 but was redirected to the below.

IP source address
Is in
2a0a:1f46:0000:0000:0000:0000:0000:0000/32
Block

It does. You may want to see if there is a country concentration and challenge or block that. Often they are widely distributed but if you see most traffic from a one or two countries you can block those to start while you refine rules with ASN and/or IP.

Thank you.
This is a worldwide attack it’s crazy, it’s a crypto company. I don’t know how long it’ll go on, two days now but this service is helping I just need to master it. I can’t get my site to load on mobile for example but it seems a very good service

564 million visits to my little independent business website in 24 hours…seems a tad excessive

Y, they are more than a tad aggressive. Have you tried blocking by user agent or ASN? It seems there is a high concentration in one country and one ASN. The rules you have seemed to have slowed it down, but it appears they poking to find a workaround for the attack.

Are you able to see it? I don’t know, I’m hoping they lose interest. What’s the ASN thing then? I only hit Cloudflare late last night and have spent the day learning but haven’t got to that yet

They’re literally just megalomaniacs, they’ve got away with stealing terrifying sums from people and I guess they just think they can do what they want

1 Like

Y, it is a pain.

I went to events, https://dash.cloudflare.com/?to=/:account/:zone/security/events and on the graph zoomed in on the most recent spike

Below the graph it shows user agents, countries, and then ASN.

You could try a rule that looks like this

I selected block, which should stop at least that ASN, but it seems the biggest most recent offender.

I like that approach as it takes the heat off and gives you time to build rules with more finesse. You may also want to challenge Netherlands as that leads traffic by country. You know your business and if a lot of it comes from Netherlands, challenging by country could be too big of a hammer and negatively affect traffic you want.

Thanks

Yeah that ASM should be caught by the IP range it falls under I’m already at 37 rules so I’m worried about creating rules that are already covered.

I am challenging Netherlands and most of the big offenders I don’t know if that shows in the traffic graphs or not.

1 Like