False Positive HTTP DDoS Blocking

What is the name of the domain?

xpngo.info

What is the error message?

Sorry, you have been blocked You are unable to access xpngo.info

What is the issue you’re encountering

I am experiencing a critical issue with DDoS protection on my server, which is behind Cloudflare’s DNS proxy. However, today, it appears that Cloudflare is detecting all incoming requests as part of a DDoS attack and consequently dropping them.

What steps have you taken to resolve the issue?

I Set Security Level to Essentially Off

Screenshot of the error

I cannot reproduce since no A record found for your domain name.

Please, double-check your DNS records under the DNS tab of Cloudflare dashboard, or via link https://dash.cloudflare.com/?to=/:account/:zone/dns.

Cross-check and disable, if IUAM feature is enabled:

If IUAM feature was enabled, you wouldn’t get such error message as in shared screenshot.

I am afraid that your request was blocked by one of your WAF Custom Rule or Managed Rule if you’re on a Paid plan type for your zone:

I use free plan and can not use IUAM !
I have A record with proxy for sub domain uk-v.xpngo.info
A Record

and this is report nslookup query for uk-v.xpngo.info

uk-v.xpngo.info
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: uk-v.xpngo.info
Addresses: 2606:4700:3037::6815:2872
2606:4700:3037::ac43:b989
172.67.185.137
104.21.40.114

Is it possible to use the following solution to resolve the WAF issue?
By deleting the A record for a few hours, the domain traffic will no longer be directed to the WAF, and perhaps this change will fix the incorrect CF firewall structure!

I use free plan and can not use IUAM !
I have A record with proxy for sub domain uk-v.xpngo.info
A Record

and this is report nslookup query for uk-v.xpngo.info

uk-v.xpngo.info
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: uk-v.xpngo.info
Addresses: 2606:4700:3037::6815:2872
2606:4700:3037::ac43:b989
172.67.185.137
104.21.40.114

After nearly 36 hours, the issue that has arisen on CF for my service remains unresolved, despite my attempts to exhaust most possible solutions. This situation is causing me significant financial penalties and reputational damage.
I want to emphasize that my service has been operating with the same configuration for over a year without any changes to the server settings, Cloudflare configuration, or the type and volume of incoming traffic. However, Cloudflare’s WAF has classified all incoming traffic as an HTTP DDOS ATTACK, cutting off access to the host.
After reviewing the event logs and analytics section of Cloudflare, I have concluded that all incoming traffic to Cloudflare has originated from authorized users, and there is no abnormal traffic.
I would also like to point out that I have two different domains on this account with identical configurations and traffic patterns. One domain and its associated server are working perfectly, while the other is experiencing this issue.
Please provide any assistance or guidance that you can.

I cannot reproduce the same and cannot see the error since it looks to me like you’ve been missing the A type of the DNS record for your domain pointed to your origin host/server.

;QUESTION
uk-v.xpngo.info. IN A
;ANSWER
Record not found!

Fix this by double-checking your DNS tab of Cloudflare dashboard for your domain using the next link https://dash.cloudflare.com/?to=/:account/:zone/dns and add a missing one.

Helpful article to manage DNS records at Cloudflare:

Thank you for feedback.

I am afraid then we cannot re-test and check what service was triggered from my request(s) for further troubleshooting.

I doubt it would. It’s the security settings which you are using and having enabled and configured I am afraid :thinking:

You’re correct. The reason you couldn’t see the A record is because I removed it. I hypothesized that temporarily removing the record for a few hours might resolve the issue, but unfortunately, it didn’t. I have since re-added the A record, but the problem persists.
Regarding the firewall settings, I want to emphasize that I did not make any changes to the firewall configuration before the WAF started incorrectly identifying traffic as an HTTP DDOS attack. In fact, I was asleep when the issue began.
I am now reverting all settings to their original state so you can investigate further.
I kindly request your urgent assistance, as this issue has caused significant problems for me.
Thank you in advance for your help.

1 Like

Thank you for feedback.

Ye, I do see and get the error as you’ve provided the screenshot:

Kindly, may I ask you to double check the Security → Events with Filter of the “Ray ID” from my screenshot above 8e089e865aff5af4 - or just Country equals :croatia:
Once found, click on the particular one to expand and get more details about this and share the information here what kind of service was triggered that blocked me from accessing your Webpage? :thinking:
Was it Security Level, was it WAF Custom Rules, or something else configured for the Security & Protection options and features enabled for your domain?
Thank you in advance.

1 Like

2 Likes

Thank you for feedback :+1:

1 Like

2 Likes

Ye, I hit only F5 refresh in my Web browser to generate more to see if something changes at all. Thank you.

3 Likes

Just as another data point, could you let me know if my request also got blocked for the same reason? RayID is 8e08caa08a2cac1b.

2 Likes

Yes, Thank you for your help

2 Likes

Yes, I understand that the reason for the multiple requests from your end was due to you pressing F5.
I would like to provide you with screenshots of several WAF configuration pages to demonstrate that I have not made any specific or unusual configurations, and everything is set to the default. I want to reiterate that these settings have been working flawlessly for the past year, and I have not made any recent changes. In fact, I haven’t even logged into the Cloudflare panel.

2 Likes

2 Likes

Do you have any ideas or suggestions?
Is there a solution I can try?
If there’s any option, please let me know so I can test it.

I should also mention that I have two different domains on this Cloudflare account. All the settings for these two domains are identical. The type and amount of traffic for both servers are the same. One of the domains is working perfectly fine, while the other one is facing this issue.

I apologize for such events, however I have no clue yet about this so far why and how does it happen as it shouldn’t :man_shrugging: Appreciate your effort and feedback!

Kindly and patiently wait for some more time, maybe someone else might have some idea and answer.

2 Likes

I am very grateful for your time and assistance.
Your kindness and support are greatly appreciated.
I wanted to ask if there is a way to completely disable the WAF?
Also, is it possible to configure settings so that I only use Cloudflare’s DNS proxy and completely bypass the firewall?