How do I prevent traffic on my site from a source other than Cloudflare?

I use Google Cloud Platform to serve the site I manage.

I have one load balancer there, which controls the movement to several virtual machines.

When I came across the problem of DDOS attacks on this site, I started using Google Armor to block the intruders’ IP addresses, but over time, when the problem escalated, my team decided to use the Cloudflare service and now all domain traffic from the Internet to service is lead by Cloudflare as a middleman.

However, further DDOS incidents show that the attack is carried out in two ways: using the domain (or domain IP referring to Cloudflare), but also directly on the load balancer’s IP from Google Claud.

The attackers could have known this load balancer’s IP, before joining Cloudflare, because that IP has not changed.

I would like all traffic to be directed by Cloudflare and, if possible, that nobody from the outside knows the load balancer’s IP or virtual servers located in the Google Cloud.

I have two questions:

  1. If I change the load balancer’s IP address now, can someone from the outside (attacker) get to this IP in some way?

  2. I could use Google Armor (or another firewall) to allow Google Claud to accept traffic only from Cloudflare, but is there such a permanent (immutable) list of IP addresses that are only used by Cloudflare to communicate with my site (or all sites) to which I could restrict traffic?

Maybe someone else has some other ideas as to the situation in which he found the website that I manage, which he would like to share. I am happy to hear them.

As long as Cloudflare does not reveal the address you should be on the safe side, however take into account that you should really lock down your server, as otherwise someone might accidentally stumble upon your address and it might give away the actual host name, via the certificate, the response, etc.

Cloudflare lists all addresses at https://www.cloudflare.com/ips/. This list is not permanent and does change occasionally, however typically it is pretty stable and does not change too often.

2 Likes

Thank you a lot @sandro!

This topic was automatically closed after 30 days. New replies are no longer allowed.