I face a gigantic and illegitimate traffic surge
I know it is illegitimate bots because google adsense doesn’t see any traffic increase
What I have tired :
I have enabled ddos mode nonstop
I have enabled rate limit 10 hit per 10 sec
I have enabled “Bot Fight Mode” and “Block AI Bots”
I have a huge block list of known hosting ASN in WAF
I have enabled captcha for known bots except my allowlist in WAF (cf.client.bot and not ip.src.asnum in {15169 26444 17012 22510 13238 55967 38365})
I have blocked known threats in WAF (cf.threat_score gt 0)
despite all this my site has been taken down by the bots with error “session full”
You did a great job already. @jnperamo made this detailed guide to help people in the same situation as you. You should take a look and follow the instructions:
The normal bot fight mode is very limited. If you want something more robust, use Super Bot Fight Mode which has much more advanced customization and protection technologies that does a great job even on the pro plan.
There’s not much point in doing that. Many well-known bots can run javascript. So, depending on the type of challenge you’ve set or whether you’re limited by plan, they’ll probably get through. If you don’t want any bots from the list of known bots to access your site, simply block them.
Also, try hardening your layer 7 DDoS protection settings. Most people don’t touch it, but it’s a good idea to customize it to your needs.
@WhiteDemonhia
Thanks but the problem fixed itself shortly after I posted here. I suppose a cloudflare technician has read my post and fixed whatever needed to be fixed on cloudflare end.
