Help with mitigating a denial of service attack

For the last couple days, our small site (single web server) has been flooded with traffic (60-100 requests per second). We are typically used 1-10 requests per second.

The traffic, based on the CF-Connecting-IP, is coming from ranges that are known to be Google, and are listed by Google as Googlebot addresses (e.g. 66.249.66.x, 66.249.77.x).

Because these addresses ranges are registered with Google, I don’t want to block them. I have Super Bot Fight Mode to Block for “Definitely automated”, but it doesn’t have any impact. If I turn on Under Attack Mode, it does stop it, but I am looking for a less invasive mitigation.

I don’t think it is actual Googlebot traffic, It is coming in way to fast, and all the requests are garbage, many with text offering DDOS service (not sure if they are extorting or advertising).

Is it possible to spoof Google IPs for HTTP requests, and is there any way to block them? Are they possible doing something to the CF-Connecting-IP header so I am getting the wrong IP? Any other suggestions?

Good day,

(http.user_agent contains “Googlebot” and not cf.client.bot)

You can configure a rule blocking based on the user agent but requests which are not Cloudflare.

For more mitigations ideas, you can check on this links

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.