How should I "Select the domain currently under attack"?

Doesn’t your article suggest only 4 (four) steps&
As I see

I just do not see where exactly I should Toggle anything? WAF
On the same page as “Under attack mode”?

There are 7 points in the #Tutorials post. You can enable the WAF under ‘Firewall’ in your dashboard.

You should also look at using the captcha challenge if they are bypassing the JS challenge - detailed in the same post.

I have made this step

Should I still keep under attack mode?

Nothing helps

You need to try and spot a pattern in the attack traffic and use firewall rules to help block it. You may be able to challenge/block by country, user agent, IP range etc.

I am afraid I can block myself (radio trek)
In the list i see an ip
Clicked on it
And saw this page
Is it safe to challenge that IP

Shouldn.t I purge cache? By the way

You can challenge the IP if it’s one that is coming up repeatedly and even block it if you are sure they are a bad actor.

Purging the cache won’t help with the attack and may put more load on your server.

Is there anyway thast someone checks what is hapenning
I am absolutely anaware of what to click
How can I know which IP is bad or good?

On the self-serve plans, the tools are provided, but it is pretty much up to you to configure them. If you want to look at the Enterprise plan (custom pricing), then it is a lot of money, but you will get a lot more help mitigating an attack.

You can contact support who may be able to offer advice, but they will likely take a while to get back to you.

Have you looked at:

When you challenge the requests, do the requests in your events log tie up with the logs on your server? If not, it may be that the attackers are bypassing Cloudflare and going directly for the server.

If that is the case, you may want to lock down your server so it’s only accessible by the Cloudflare IPs or use a solution like the one suggested by @floripare in Stop Cloudflare bypassing on shared hosting

1 Like

Further to what @domjh has said, I’d suggest you adopt a strategy where instead of being concerned with which IP/user-agent/etc to block, you focus on what visitors you should not block. Then block everyone else.

I’ve tested recently a Firewall Rule with the following logic:

If not a known crawler, such as Googlebot etc
AND
not from a country where I expect most of my legitimate visitors to come from
AND
not an URL that I need to exempt, such as robots.txt and ads.txt
AND
not from an ASN/IP that I recognize as a source of legitimate visitors or crawlers not in the countries I’ve listed above

THEN
Challenge!

Basically the rule says: Block everybody, except these guys listed here. This rule is a lot easier to maintain, and it blocks a lot more bots than my previous attempts at listing bad IPs, bad URLs etc.

An example of the results you can see below, where in two of my sites the rules specifically covering bad URLs (the never ending attempts at getting to a vulnerable plugin’s PHP files, etc) had very little work to do after this rule filtered out most bad guys.

site 1:


site 2:

The bad side to this approach is that some legit visitors may occasionally get a Challenge page. So you need to set a larger duration for the time that Cloudflare will let pass before challenging the same visitor again. I set my sites to 1 week.

Dashboard > Firewall > Settings > Challenge Passage

Also, I’d completely avoid using Block instead of Challenge, as their efficacy against bot is similar, and the chance of alienating a legit visitor with a Challenge is smaller.

3 Likes

Thank you very much for the explenation

Really

1 Like

Hi, guys!
Thanks for your comments and help, but I am now having another serious problem

The DDOS attack seems to have diminished, but we are here still have to deal with captcha all the time

And I can not do some other things on my site

I have switched off that rule in the Firewall, but it doesn’t help

What can I do?

What can I do to switch it off – altogether so that it doesn’t interfere with the work of my site?

Cfy you help please?

That’ s what I have to do ()all of us here) when we add materials to our site

Could you show a screenshot of the actual rule (obfuscate whitelisted domains/IPs etc.)

Here’s what I have on a website in Brazil (the rule allows any visitors from Portuguese-speaking countries):

image

If you included your own country to the list of countries not to be challenged, you shouldn’t be seeing these captchas, unless your ISP sends the traffic abroad for some reason (it happens with many 4G operators in Brazil). Then you’d need to include their ASNs in the list.

You can check the Firewall > Events log, making sure to click on challenges that you know that came from your visits, and you’ll be able to see which ASN you guys are using.

Floripare,

Unfortunately, I am not so versatile in English and Cloudfare specifics

I just used the rule: Challenge captcha everyone

I do not think I can show you anyting, than this

I just do not know what to show

And as for your screenshot I just do not know how to get to that table (panel)

Could you explaine?

But primarily I need to get that rule disactivated.

I do not know why it keeps on working if I moved the button to OFF

You can use the globe icon (something like this :globe_with_meridians: on the bottom of this page) to see English language messages on your language.

On your firewall rule, next to the ON button, there’s a tool icon. Click on it to edit the rule, then add each field and the parameters following the example I gave above.

Try going to Cache > Purge Everything. Also, purge the cache from your browser.

This topic was automatically closed after 30 days. New replies are no longer allowed.