We currently use cloudflare to protect our informational website at our .org domain. This website is at a hosting facility in another state.
We have a .com domain that is in house and has access to a few web applications and OWA / email. This .com domain sits behind a pair of Ecessa PowerLink DNS based load balancing appliances in HA mode. The PowerLink appliances are authoritative over the .com domain and when our names are queried against them, they offer the IP that is on an ISP that is confirmed up, and also offer the IP that is most capable (load balancing). There are two ISP’s into the device so if one goes down, DNS with 30 second TTL will only advertise the IP of the working ISP. This has worked great for our organization.
Now we have a situation where we would like to apply velocity rules to prevent hitting certain web applications x number of times in a minute… basically layer 7 brute force password attacks from random sources. We can only keep adding IP’s to our firewall’s blacklist for so long. We feel that Cloudflare can probobly protect us from this type of attack. So the questions are:
- How do you configure cloudflare in front of an Ecessa PowerLink load balancer that is already authoritative over the .com domain you want to protect?
- The web server logs for things like Exchange and other IIS servers need to still be able to track the actual IP address of the visitor, not cloudflares IP.
- Is there velocity scanning?
- We’re already protecting our .org domain. Is there additional costs involved with adding a .com domain?
- Is it all or nothing? Say we have 40 cumulative IP’s (20 with each ISP) as an example. Say 5 of them are web servers running on port 443. But say a bunch of other ones are just VPN endopints (point to points). Assuming the other end is using direct IP, theres is no change?
Appreciate any links to how-to’s, or even any reps reaching out.