Having trouble stopping DDOS attacks


#1

I first want to say that I’m very new to cloudflare and trying to fight off attackers. I volunteer time with a non-profit and we’re being systematically targeted by bad actors. My logs show groups of over 100 IP addresses sending tens of thousands of requests each, constantly crashing our VPS hosting account. I was turned on to Cloudflare and activated a free account 36 hours ago. My security level is set to I’m Under Attack and we’re getting about 190k Total Requests every 24 hours to a website that should be getting maybe 20 uniques a day. Our domain is askc.org. I’m really at a loss for what to try next, but I’m guessing there are some settings we should be changing that would stop the attacks from shutting us down. The only other thing I’ve changed is added several countries to be Challenged under the Firewall Access Rules. Appreciate any assistance!


#2

welcome to layer 7 attack, unfortunately the only tools from cloudflare to help you protect against it it:

  • I am under attack mode(turn it on in the settings under firewall tab in Security Level)
  • rate limiting(its paid service find it under the firewall tab

non cloudflare tools:

  • adding more servers\scaling up your server
  • adding better caching tools(like varnish\nginx)

about rate limiting, does they attack the same address or all of them?

( I was also under ddos attack recently and I made a post about it with no replays I got ddos attacked and I have few questions )


#3

First of all, make sure that your server only accepts packets from Cloudflare.

Since you only recently switched to Cloudflare, the IP of your origin server is likely still to be connected with your domain, and attackers make use of that information.

If your VPS hosting provider has a dashboard where you can set up a firewall, make sure to drop everything else that is not Cloudflare (and yourself). For a list of Cloudflare IP’s, check this page.

Should probably add, that of course you should take some precaution when implementing this. You dont want to lock yourself out, or be blocking services on your machine that shouldn’t be blocked (eg if email/sftp etc is on the same machine).


#4

Thanks for the suggestions. I was worried about turning on rate limiting because I’m not real sure 1) how many requests would get through that would be charged and 2) I’m not sure how to set it up once I turn it on for my specific problem and 3) whether or not I can turn if off at any time if the cost gets too high.

I checked my hosts control panel and there’s nothing there for firewalls or blocking traffic. I didn’t want to try blocking via the htaccess file since I’m not sure what I’m doing, and to your point, I don’t want to lock myself or legitimate services out.

I guess I got the impression that Cloudflare specialized in stopping this exact kind of thing. Is that not true, or does it really require a paid account to do that? Thanks again.


#5

how many requests would get through that would be charged?

look in the analytics tab at requests graph, look at total requests in last month it will give you some idea

I’m not sure how to set it up once I turn it on for my specific problem

since cloudflare not supplying any logs you need to find some logs on your servers to see how the attack look like, maybe all the requests are to the same url?
after you find out you need to create rule, start with a basic rule like block all ips for 1 hour that send more than 10-30 requests per seconds, now wait 10-30 minutes and take a look at your Rate Limiting graphs, while heavily browse your website to make sure legal requests (like yourself) does not get block.
if you see requests getting blocked while your site analytics stay like normal it mean everything good(probably you will need to play a little with the rate limiting rules to find good balance)

whether or not I can turn if off at any time if the cost gets too high

yap you can stop it in any time.

I guess I got the impression that Cloudflare specialized in stopping this exact kind of thing. Is that not true, or does it really require a paid account to do that? Thanks again.

I also asked about it and got no answers, they do help you a lot with blocking attacks like this with rate limiting and I am under attack mode, but also hoped it would be more of automatic process.
also I don’t believe you will find other free layer 7 ddos attack service


#6

Cloudflare protects you against DoS/DDoS if it proxy the requests. Hackers already have your server IP address so why they should access your server via CF edge servers?

They simply send traffic directly to your server and no configuration on server helps on this.

You need to change your IP address and keep that information private.

If hackers are very serious next step would be scanning the whole internet for your new IP which with right tools takes around 24 hrs.

They they will find out your IP address again. You can avoid this by just whitelisting CF edge servers. Since only they are aware of your website existence on that IP, any other request originating from other IPs should be dropped. I would suggest whitelisting a VPN ip address which you may use for special administration tasks too.


#7

its not 100% correct, they stop from most of the ddos attack, but layer 7 is another problem, they cant know for sure which traffic is legit and which is “attack” in most cases, that’s why there is not always a solution to layer 7 attacks.

here is quote from rian who looks like some cloudflare emploey:

Unmetered Mitigation is not a guarantee that your site will not go down, but is instead a promise that you don’t have to worry about being terminated or charged because someone attacked you.

an smart layer 7 attack with large number of ips from all over the world that each ip only ping your site once in X seconds\minutes will not be stopped easily


#8

I meant BW attacks. Defending layer 7 attacks needs awareness of business model and complex state maintaining which can be done much more efficient by app devs (plus using some CF APIs) rather than external services like CF.