How to allow application to access certain URLs when in Under Attack mode?

#1

Hi all,

We’ve been getting repeatedly DDoS’d from a certain Far East country and I have a few questions about Under Attack mode and handling this situation.

  1. When “Under Attack” is enabled, our desktop application can no longer access certain URLs that are occasionally needed - how should we cope with this so our users are unaffected? Presumably we’d need to use some API?

  2. Is there a way to have Cloudflare automatically enable “Under Attack” mode? e.g. if the number of requests from a certain country suddenly jumps; so that protection is more proactive and doesn’t necessarily rely on a problem being reported and someone flipping a switch…

  3. Can we increase the security level for a certain country permanently?

Many thanks!
Justin

#2

Have a look at the Firewall rules. They’re pretty easy to configure e.g. block exact URL unless from exact IP or range etc.

1 Like
#3

Hi Justin,

  1. You can protect your admin area with an Access Policy that will block anyone except authenticated users. Free up to 5 user IDs per month, charged per ID per month after that.

Otherwise you can create a Page Rule for certain URLs if they are not being specifically targeted by the attack.

  1. Not on the free plan. You can enable Rate Limiting on a per IP basis, please check the docs for pricing.

  2. You can easily create a Firewall Rule where visitors from a specific country (or a list of countries) are met with a certain action, like block, challenge (captcha) or JS challenge (same effect as I’m Under Attack mode). For instance, the following rule:

    (ip.geoip.country in {"CN" "JP"} and not cf.client.bot)
    

will challenge any visitors from Japan or China, excluding known bots (as defined by Cloudflare)

1 Like
#4

Thanks for the info! Firewall Rule added :slight_smile:

Re (1) I don’t think Access is the right solution, we don’t need specific user validation and we don’t use identify provider validation. It’s simply just that we’d want to verify ‘yes, this is our application’ and allow it to call certain URLs e.g. for submitting a bug report…

Configuring an IdP for a single application-wide user seems over the top for a pretty simple use-case, no?!

1 Like
closed #5

This topic was automatically closed after 14 days. New replies are no longer allowed.