Help Mitigating Website attacks

Hello, everyone sorry for the newbie quests. My website is being attacked pretty regularly . I checked the httpd logs in var/log/ and saw that the website is being flooded with requests per second. Is it possible to limit the requests 1 specific IP can make for the website? Also, i tried using under attack mode and the site was still down. Any tips on how to identify what type of attack or help mitigate it would be great. I’m using the free version. but would upgrade if it helps. Thanks for your time.

My operating system : Centos 7 :

Sorry to hear this, may I suggest below article:

Using the Firewall → Tools → Rate Limiting, yes.

1 Like

thank you for your replies . ill read everything that was mentioned as for some things for example i have a vote page / donate page that usually gets effected when i change the settings in Cloudflare , can i somehow exclude these 2 pages from being effected?

If you have got the IP address, you can block the IP, or IP range, or determine the AS number by the IP address and then block the whole AS number adding it into the Firewall → Tools → IP Access Rules.

Nevertheless, you can create a Firewall Rule by navigating to the Firewall → Firewall Rules, add the URI Path “contains” /needed-path + “and” IP Source Address “equals” to the IP you are seeing, all that with the action “block”, if so.

Thank you for your reply can you specify what this AS number is?

Also appears this for http version
HTTP/1.1 58,863,446
Now, my web activity shouldnt really be any more then 1,000 or so clicks a day if that |HTTP/3|1,295|0.002%|
| — | — | — |
|HTTP/2|910|0.002%|

Also appears html 50,701,247 95.11% this many requests for html.

Try making a firewall rule that challenges that IP.

1 Like

how can i block the user agent ?
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Mozilla/5.0 (Linux; Android 7.0; SM-T825 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.85 Safari/537.36
these 2 user agents are common in the attack for all the requests .

https://support.cloudflare.com/hc/en-us/articles/115001856951-Understanding-Cloudflare-User-Agent-Blocking#:~:text=User%20Agent%20Blocking%20(UA)%20rules,Zone%20Lockdown%20skips%20UA%20rules.

I can just paste the whole name for user agent? like i did in the post? Thats what i wrote in the rule or did i do it wrong.

Looks good; let us know if that does the job for now.
Be advised that changing user agent is fairly easy; it would be optimal if you tried to find other patterns to the attack.

I found that they are using http version 1.1 for attack over 59,000,000 requests for that version.


I’ve attached a screenshot of the httpd log from the vps.

HTTP 1.1 is commonly used in attacks; however, some legitimate bots also use it. I would consider making a rule based on challenging HTTP 1.1 and observing whether legitimate traffic is affected.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.