How Can People DoS My Site By Hitting an Image?

ljmac1 · November 5, 2023, 1:23pm

I recently had a DoS attack that only I’m Under Attack! Mode could stop, and when I looked at what they were hitting, I was surprised to find that it was just a singe image. While this explained why rate limiting wasn’t blocking it (I don’t limit images), I do not understand how they can DoS my site by doing this - shouldn’t all images by cached by Cloudflare, so that any hits to them wouldn’t even reach my server?

Also, why were millions of hits to a single image not picked up a some kind of attack? It would be great if you had a rate limiting setting which restricted the number of hits to any single file (for example, if any given file gets hit by the same IP three times in one second, it is blocked). As of now, we have to specify which files or directories are limited. This is impractical with images, as they get lots of hits as a group, but any single image should not be hit multiple times by the same IP.

louise2 · November 7, 2023, 10:29am

Hi @ljmac1

I would suggest that you create a rate limiting rule that block an IP that requests x resources to host contains YOUR_DOMAIN, then all resources would be covered by the rate limiting rule.

In your DDoS dashboard, you can deploy a DDoS override where you block global settings.

I would also recommend that you deploy the OWASP ruleset in your managed rules. Should this give you any false positives, you can create a custom firewall rule where you skip managed rules on the false positive.

ljmac1 · November 7, 2023, 11:03am

That isn’t really a practical solution, as it would have to be set so high to prevent false positives that it would effectively be useless.

system · November 10, 2023, 11:04am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.