Over the last week, we’ve had two cases of DoS attacks. Thankfully they’re not distributed so it’s simple enough to block the IP address in a firewall rule. However, I’m not sure why Cloudflare’s automatic DoS protection isn’t working. The attack is millions of requests over a short period but Cloudflare is allowing them all through to our server until I setup the firewall rule. Shouldn’t Cloudflare be detecting this and automatically doing something to protect?
Did you enable the Under Attack mode?
Cloudflare is an excellent tool to defend against DOS attacks, but it doesn’t do everything automatically! It does require user interaction to block some attacks
millions of requests over a short period
Have you looked into Cloudflare’s Rate Limiting product? This may help defend against this kind of thing.
I did enable Under Attack mode for the few seconds that it took to setup the firewall rule.
My concern is that this is happening overnight when we’re not available to monitor and setup the firewall rule. I just figured 1 million requests in 60 minutes from the same IP address would trigger some sort of automatic protection with Cloudflare.
I have not looked at rate limiting - I’ll have to read about it.
Rate limiting should stop that
To be honest, I’d also expect that 300 requests a second, from one IP, continuously over one hour would flag that address somehow. @cs-cf?
they are not blocking layer 7 attacks automatically(to my knowledge from attacks I got just like you described and other posts here), but they do give you all the tools you need to block attacks like this, like rate limiting, workers, countries blocking etc…
According to the Firewall, Managed Rules tab, Cloudflare DDoS Protection:
These mitigations are automatically enabled for all customers across all plans.
This includes HTTP Flood which was the case with today’s attack. However, I can’t find any real details as to what Cloudflare does to mitigate these attacks. This attack may not have been distributed but it’s still a DoS attack and, I would imagine, falls under the same umbrella.
And as I said before, I know there are manual tools that allow us to fight these attacks but I was figuring Cloudflare’s protection was automatic, especially in an extreme case like today.
Sorry for resurrecting this thread but I too hope that we can get an official explanation of what the HTTP Flood protection is expected to do.
I understand that the “Under Attack” mode and the “Rate Limiter” could both be used to block such attacks. However, what does the “automatic HTTP Flood mitigation” do?
To anyone wondering, the “Learn more” link leads to https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
That link you posted seems to explain it:
How can an HTTP flood be mitigated?
Other avenues for stopping HTTP floods include the use of a web application firewall (WAF), managing an IP reputation database in order to track and selectively block malicious traffic, and on-the-fly analysis by engineers. Having an advantage of scale with over 20 million Internet properties allows Cloudflare the ability to analyze traffic from a variety of sources and mitigate potential attacks with quickly updated WAF rules and other mitigation strategies to eliminate application layer DDoS traffic.
Looking at the discussion above, most people would expect 300 request per second from a single ip to trigger the http flood mitigation.
To paraphrase my question, how do we know if the automatic http flood is working?
For WAF, we could send requests that match the WAF rules.
For rate limiter, we could send requests that exceed the configured rate
For HTTP flood protection, how do we know that it is working? When does it kick in?
you dont know when it works… but you know when its not works
there was similar thread few months ago, some cloudflare empley check the logs for some site who got similar attack and he saw that lots of requests do got blocked, but in 90% of sites its enough for the 10% remaining requests to take the servers down
This topic was automatically closed after 30 days. New replies are no longer allowed.