Help with DDos Attack

Hi any advice and help appreciated, new to this :slight_smile:

We started getting DDOS attacks on our site.
The guys hosting it came to us with the problem it was affecting other services on their server.
We stopped this by only allowing UK traffic to our site till the attack stopped.

I signed up to cloudflare Pro our site loads better and we are getting better loading time rating etc well happy all is good no attacks!.

Until today :frowning: the host server has the same issue back again, under attack. ground to a halt, and affecting all their other services. Our site is the cause its under attack.

Ive turned on under attack mode.
blocked country china in firewall rules (this is where all the traffic seems to be coming)
now blocked united states fire wall rule (all the traffic is now coming from here now)

any advice on what else can need to do? not sure why our site keeps getting attacked every few months?
I though cloudflare would stop this? or am I doing it wrong?

edit: as our site is still taking ages to load, the testing your browser page takes a long time

Thanks for any help

So you have everything blocked except for the UK, additionally explicitly China, and you have “Under Attack” on?

Are you sure these requests come actually via Cloudflare and do not target your server directly? Have you configured your server to only accept connections from Cloudflare?

Hi Sandro

thanks for your help. sorry for being a bit or a novice

Is this something our host would need to do o their server?
as a posed to settings in cloudflare

under attack on.
blocked china and united states in Cloudflare firewall

blocked all traffic not UK in wordpress

Yes it is. That configuration would need to be done on your server and it should essentially block all IP addresses except Cloudflare’s at https://www.cloudflare.com/ips/

Whats the domain? And how do you establish that you are getting attacks, respectively can you post excerpts from your webserver’s access log?

I am taking the webserver hosts word I guess?
ive messaged them to send me webserver’s access log

I noticed the site wont load etc or is really slow.

The Host contacted me to say its slowing the server (affecting other sites on it i guess)

and its because our site is being targeted we are receiving a large volume of hits and attack

IP Geo Block we use in Wordpress shows the countries and a large increase in traffic than usual.
same as in cloudflare

i dont have Argo enabled would this help?

sorry domain is www.tate-fencing.co.uk

Not really.

You need to establish if the requests go via Cloudflare or not. In the former case you can tweak your firewall settings (even though what you described should be more than sufficient), in the latter case you need to either lock down your server or work together with your host.

Your server’s IP address ends in 135, does it not?

If that is the case it would seem as if your server accepts direct connections and in that way an attacker could easily bypass Cloudflare.

yes it does end 135

its a bit strange as we have had a few ip address changes over the year and have still got the attacks which is why I thought it must be the domain.

You will need to wait until your host gets back to you. With the information available so far it is pretty impossible to make any factual statement.

The only thing I can possibly comment on is that there is a good chance they bypass Cloudflare, given that you have Under Attack on but they still manage to overload your site.

Ok thanks for your help appreciate it.

yeah the host is still having issues with accessing the server. Dont think they can get into the back end yet.

its just weird that cloudflare has been working but now its doesnt seem to be

I would assume it still is working, but if somebody bypasses it there is nothing Cloudflare can do.

Yeah host temp suspended our site.

and the server is running at full speed no issues.
must be bypassing Cloudflare.

Looking into how to white list only CF ip’s on server
for our site only

thanks again for your help

keep in mind there is also a good chance they are not bypassing cloudflare.

cloudflare in a lot of cases not auto block layer7 attacks, but you dont really know if you are getting attack, so your host say so, so what? how many requests? from which countries? what page they are hitting? what is theire user agent? the refferel? asn network?

the firest step is you need to get data, you can use logflare or worker to get logs, than use this tools

  • rate limiting
  • I am under attack mode(not working with api routes)
  • firewall rules
  • IP Access Rules
  • User Agent Blocking
  • full html caching
  • worker
  • countries based rules
  • the new bot mitigation

Dont forget the OP configured country blocks AND did activate IUA.

yeah, but still there is a chance they are even not try to bypass it and IUA easy to bypass… I wonder if the Bot Fight Mode will help in this cases.

in all cases I would start with getting logs, without logs you know nothing

thanks boynet2 will start looking into this.

I have turned under attack on and
(ip.geoip.country ne “GB”) firewall filter
it didn’t seem to make any difference until the host suspended the site.
now he can get on the server as its back up running at full speed.

The most important bit would be the log files from your webserver. These should give you an idea where the requests came from.

Also, does the firewall event log on Cloudflare say anything?

With Firewall, you can block countries like China, Russia completely. You can only allow visits from U.S if they come from Google or Bing. There is captcha, browser check etc.,.

You can fully cache your pages on Cloudflare Edge, block your sigin/signup pages completely. Check what is unique to the flooding spam traffic.

You can block visits by country, ISP, IP etc.,.

You can only allow good bots, block all bad bots,…

Maybe you can setup Honey Trap / Spam Trap.