Getting DDOS, Unable to prevent

I’m getting DDOS, or HTTP Flood with Random path requests,
i tired with WAF common useragent blocking but attacker changing the URI PATH or User Agent randomly.
Anyone can you please suggest me how can i prevent this types attacks?

Here is some log samples:

103.83.142.10 - - [29/Mar/2024:23:15:56 -0500] ＂GET /tVH4hkt HTTP/2.0＂ 404 - ＂https://mydomain.com/tVH4hkt＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36＂
181.212.161.4 - - [29/Mar/2024:23:15:57 -0500] ＂GET /5v4dpA HTTP/2.0＂ 404 - ＂https://mydomain.com/5v4dpA＂ ＂Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Mobile Safari/537.36＂
2a09:7c47:0:30:75b0:edb1:3a5f:4083 - - [29/Mar/2024:23:15:56 -0500] ＂GET /W4M8YGoKqw HTTP/2.0＂ 404 - ＂https://mydomain.com/W4M8YGoKqw＂ ＂Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Mobile/15E148 Safari/604.1 OPT/4.5.0＂
45.166.93.25 - - [29/Mar/2024:23:15:56 -0500] ＂GET /EmUBSZBAa HTTP/2.0＂ 404 - ＂https://mydomain.com/EmUBSZBAa＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36＂
170.84.146.178 - - [29/Mar/2024:23:15:56 -0500] ＂GET /TbiYi5P HTTP/2.0＂ 404 - ＂https://mydomain.com/TbiYi5P＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36＂
45.33.134.4 - - [29/Mar/2024:23:15:56 -0500] ＂GET /Zikgo HTTP/2.0＂ 404 - ＂https://mydomain.com/Zikgo＂ ＂Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/120.0.2210.133 Version/17.0 Mobile/15E148 Safari/604.1＂
166.249.54.96 - - [29/Mar/2024:23:15:57 -0500] ＂GET /sQVmpUqFT HTTP/2.0＂ 404 - ＂https://mydomain.com/sQVmpUqFT＂ ＂Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/123.0 Mobile/15E148 Safari/605.1.15＂
203.161.29.1 - - [29/Mar/2024:23:15:57 -0500] ＂GET /ineZ6tjYj HTTP/2.0＂ 404 - ＂https://mydomain.com/ineZ6tjYj＂ ＂Mozilla/5.0 (iPhone; CPU iPhone OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1＂
168.196.245.128 - - [29/Mar/2024:23:15:57 -0500] ＂GET /rDcYMK4rJi HTTP/2.0＂ 404 - ＂-＂ ＂Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36＂
185.220.101.97 - - [29/Mar/2024:23:15:57 -0500] ＂GET /SKl87m2 HTTP/2.0＂ 404 - ＂https://mydomain.com/SKl87m2＂ ＂Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0＂
2a01:4f8:1c1b:81c4::1 - - [29/Mar/2024:23:15:57 -0500] ＂GET /yRDwQH83G HTTP/2.0＂ 404 - ＂https://mydomain.com/yRDwQH83G＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36＂
103.83.142.10 - - [29/Mar/2024:23:15:56 -0500] ＂GET /tVH4hkt HTTP/2.0＂ 404 - ＂https://mydomain.com/tVH4hkt＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36＂
172.69.194.75 - - [31/Mar/2024:06:31:20 -0500] "GET /InT4RYHZQewcd HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
162.158.182.24 - - [31/Mar/2024:06:31:21 -0500] "GET /InT4RYHZQewcd HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"172.71.81.69 - - [31/Mar/2024:06:31:21 -0500] "GET /InT4RYHZQewcd HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
162.158.189.40 - - [31/Mar/2024:06:31:21 -0500] "GET /InT4RYHZQewcd HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"172.70.143.78 - - [31/Mar/2024:06:31:21 -0500] "GET /InT4RYHZQewcd HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
162.158.134.92 - - [31/Mar/2024:06:31:21 -0500] "GET /InT4RYHZQewcd HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
162.158.86.17 - - [31/Mar/2024:06:22:34 -0500] "GET /fA2iFNae1Ji8T HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
172.68.50.145 - - [31/Mar/2024:06:22:34 -0500] "GET /fA2iFNae1Ji8T HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
162.158.182.213 - - [31/Mar/2024:06:22:34 -0500] "GET /X2QITF3zKyK4q HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
172.68.18.82 - - [31/Mar/2024:06:22:34 -0500] "GET /fA2iFNae1Ji8T HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
172.71.2.144 - - [31/Mar/2024:06:22:34 -0500] "GET /fA2iFNae1Ji8T HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
172.71.87.133 - - [31/Mar/2024:06:22:34 -0500] "GET /X2QITF3zKyK4q HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
162.158.163.16 - - [31/Mar/2024:06:22:34 -0500] "GET /fA2iFNae1Ji8T HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"172.68.64.149 - - [31/Mar/2024:06:22:34 -0500] "GET /X2QITF3zKyK4q HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
172.71.166.209 - - [31/Mar/2024:06:22:34 -0500] "GET /X2QITF3zKyK4q HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"108.162.237.87 - - [31/Mar/2024:06:22:34 -0500] "GET /fA2iFNae1Ji8T HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"172.71.167.69 - - [31/Mar/2024:06:22:34 -0500] "GET /X2QITF3zKyK4q HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)"
108.162.245.252 - - [31/Mar/2024:06:22:34 -0500] "GET /fA2iFNae1Ji8T HTTP/1.1" 499 0 "-" "Wget/1.19.5 (linux-gnu)

Some of those IP addresses are Cloudflare and some are not.

Is your Cloudflare DNS record proxied?

Are you restoring visitor IPs?

This is to work out if the requests are coming through the Cloudflare proxy, or direct to your origin, or both.

If you are using the proxy, then you can first enable “Under Attack Mode” to give you breathing room. Then use this guide to fine tune your protection.

If you are not using the proxy then traffic isn’t going through Cloudflare so Cloudflare protections aren’t applied to requests.

If you are using the proxy but requests still come direct to your origin server, then you need to set your firewall to allow only Cloudflare IP address to access your webserver, and consider using Authenticated Origin Pull.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.