Guys, so I* am under attack
I have logged in
Instruction says “Select the domain currently under attack”?
But WHERE should i do this Selection?
I do not swee any proposals of the kind
Can you help
Guys, so I* am under attack
When you login, you should see the domains in your account. On the front page of whichever domain you select, there should be a toggle for under attack mode on the right hand side.
Can you tell mw how should I enable the Firewall
Who can tell my why Cloudflare fails to block the attack?
I would recommend starting with:
If they are bypassing UAM
I am already signed up and my plan is 20 dollars per month
Excellent, do you have the WAF enabled as shown in step 5 of the linked post?
Doesn’t your article suggest only 4 (four) steps&
As I see
I just do not see where exactly I should Toggle anything? WAF
On the same page as “Under attack mode”?
There are 7 points in the #Tutorials post. You can enable the WAF under ‘Firewall’ in your dashboard.
You should also look at using the captcha challenge if they are bypassing the JS challenge - detailed in the same post.
You need to try and spot a pattern in the attack traffic and use firewall rules to help block it. You may be able to challenge/block by country, user agent, IP range etc.
I am afraid I can block myself (radio trek)
In the list i see an ip
Clicked on it
And saw this page
Is it safe to challenge that IP
Shouldn.t I purge cache? By the way
You can challenge the IP if it’s one that is coming up repeatedly and even block it if you are sure they are a bad actor.
Purging the cache won’t help with the attack and may put more load on your server.
Is there anyway thast someone checks what is hapenning
I am absolutely anaware of what to click
How can I know which IP is bad or good?
On the self-serve plans, the tools are provided, but it is pretty much up to you to configure them. If you want to look at the Enterprise plan (custom pricing), then it is a lot of money, but you will get a lot more help mitigating an attack.
You can contact support who may be able to offer advice, but they will likely take a while to get back to you.
Have you looked at:
When you challenge the requests, do the requests in your events log tie up with the logs on your server? If not, it may be that the attackers are bypassing Cloudflare and going directly for the server.
If that is the case, you may want to lock down your server so it’s only accessible by the Cloudflare IPs or use a solution like the one suggested by @floripare in Stop Cloudflare bypassing on shared hosting
Further to what @domjh has said, I’d suggest you adopt a strategy where instead of being concerned with which IP/user-agent/etc to block, you focus on what visitors you should not block. Then block everyone else.
I’ve tested recently a Firewall Rule with the following logic:
If not a known crawler, such as Googlebot etc
not from a country where I expect most of my legitimate visitors to come from
not an URL that I need to exempt, such as robots.txt and ads.txt
not from an ASN/IP that I recognize as a source of legitimate visitors or crawlers not in the countries I’ve listed above
Basically the rule says: Block everybody, except these guys listed here. This rule is a lot easier to maintain, and it blocks a lot more bots than my previous attempts at listing bad IPs, bad URLs etc.
An example of the results you can see below, where in two of my sites the rules specifically covering bad URLs (the never ending attempts at getting to a vulnerable plugin’s PHP files, etc) had very little work to do after this rule filtered out most bad guys.
The bad side to this approach is that some legit visitors may occasionally get a Challenge page. So you need to set a larger duration for the time that Cloudflare will let pass before challenging the same visitor again. I set my sites to 1 week.
Dashboard > Firewall > Settings > Challenge Passage
Also, I’d completely avoid using Block instead of Challenge, as their efficacy against bot is similar, and the chance of alienating a legit visitor with a Challenge is smaller.