How to defend against HTTP flood attacks?

We are hit by hundreds of requests every minute to URLs that do not exist, for example:
domain.com/c.php
domain.com/conn.php
etc.

The requests come from a wide list of IP addresses and countries, so there is no easy way to blacklist them. The only option that we didn’t try is WAF that requiries a PRO account. Can we be guaranteed that these basic attacks will be blocked by WAF? If not, what would you suggest to defend such attacks?

Out of curiosity, have you tried Bot Fight Mode? It’s under Firewall -> Settings

No, I haven’t. Thanks a bunch for the hint, hope that helps during the next attack.

1 Like