How does CF decide to stop blocking an attacker?

ddos

#1

I had a bunch of attacks coming from a Russian IP last night and when I checked the CF dashboard, I saw that the IP in question had been blocked for this behavior 3 hours earlier, but wasn’t currently being blocked for the same requests.

I would love to understand this, and even better would be instructions to turn it off. I don’t want attackers to be able to try again, especially within 24-hours (at least).

Possibly related: I added the CIDR block to the firewall but the traffic didn’t stop for about 20 minutes. Is that what I should expect?

This is on a paid account, if that makes any difference.

Thanks!


#2

hi @hosting1,

Sorry about the delays. Are you still looking for info on these questions?


#3

I can’t speak to the determinations made by our systems or staff on when to block or unblock an IP related to an attack, but you always have the option to manually add it. It should happen almost instantly when you make the change, so if you see delays definitely contact our support team.


#4

I did add the IP, but only after I got a CPU load notice because of the volume of the attack. That’s when I noticed that it had been blocked earlier.

This seems like a bug to me; your system identified an attack because of its IP or behavior, and blocked it. Great, that’s what I’m paying for. But then the system stopped blocking the same IP and the same behavior. Requiring me to notice and manually add the IP to the firewall is not a satisfying resolution.

Are there other actions I can take or settings I can choose to keep blocked IPs/behaviors blocked?

Thanks.


#5

Let me do some more digging and see what I can find out.


#6

Just sent you a private message with some questions. Please respond with whatever info you have and I’ll flag this for more investigation.