I try to loadtest my cloudflare worker url using loader.io.
And try 10000reqs per sec. It still going thru without any error. So bad guys can just do ddos and i will be charged huge sums of money? because i’m in pad plan now.
How to protect our cloudflare worker to such attack? I thought cloudflare http flood protection will kick in. but its not at all.
free gets 100k free requests per day
unimited gets 10mil free request per month (2)
You will automatically be billed $0.50 per additional 1 million requests.
You will be automatically billed $0.50 per additional GB of storage, $0.50 per additional 1 million read operations, $5.00 per additional 1 million write operations, $5.00 per additional 1 million delete operations, and $5.00 per additional 1 million list operations.
Keep in mind that Cloudflare might already be white-listing loader.io IP’s because users are already using it to load-test their Workers (I’ve been doing that for more than a year). So why would they categorize it as an attack then?
You’re doing layer 7 application level attack so need to use layer 7 tools CF provides like CF WAF, Firewall rules & CF Rate limiting. Layer 7 mitigation can’t be 100% automated as CF can’t 100% know if the requests are legit or not without you telling it via hints i.e. CF WAF/Firewall Rules, Rate limiting.
You can use rate limiting to protect workers but CF rate limiting cost more than CF workers so might as well let CF worker bear the brunt of it if you have CF worker which does caching to protect your origin. Of course if your CF worker is not setup for caching to offload work from origin, then you’ll incur CF worker costs and still overload your origin
CF rate limit = $50 for 10 million good requests
CF workers = $5 for 10 million worker requests
You can also setup fail2ban on origin server and configure it to talk with CF Firewall API so fail2ban jail rules you specify for bad request type traffic gets banned and the IP ban gets sent to CF Firewall via API to ban at CF Firewall level.
For instance if your origin Nginx server is setup with rate limiting of say 10 requests/s to /register.php link for same IP it will log rate limit log entry in your nginx logs. If you setup fail2ban to read that nginx log looking for that match, then you can ban that IP that hits 10 reqs/sec to /register.php and configure fail2ban to talk to CF Firewall API to pass on that banned IP to CF Firewall which will ban the IP at CF edge server.
Not useless, fail2ban just passes the ban IP to CF Firewall so that CF edge servers eventually do all the work in banning that IP at CF edge server level. CF has 200+ datacenters worth of CF edge servers to handle large layer 7 DDOS attacks which will have more computation and network bandwidth than your single origin server would be able to handle via fail2ban alone
Cloudflare provides the tools for you to use, just need to use them optimally
FYI, I’ve seen large forums handle such layer 7 DDOS attacks with such a fail2ban + CF Firewall implementation with ease for 1-3 million requests/second ! Find me a DDOS mitigation service able to handle that for free to US$20/month
CF Firewall custom rules I tailored for my forum sites has virtually wiped out brute force login attacks as I create custom CF Firewall rules that target my login/registration pages for certain criterias i.e. ASN, IP, Country, user agents, HTTP request protocol etc = me telling CF via hints what is legit or not legit traffic for my particular web app
@eva2000 just curious, say your fail2ban/cloudflare service hiccups during the ‘actionunban’. then technically, that IP wouldn’t get unbanned and that firewall rule on cloudflare would remain. just curious if that edge case was considered?
fail2ban has a status command and I also wrote an extended status wrapper script for more details for each fail2ban jail rule so you can inspect how old a banned IP is. Then I have a separate custom CF Firewall API script which can do bans/unbans by IP, IP ranges and even unban based on IP ban age. So you can script purging of banned IPs from CF Firewall via API for say older than XX seconds age as a way of cleaning up CF Firewall banned IPs that come from fail2ban or any other app (because custom script can purge based on CF Firewall’s IP comment entry to target specific types of banned IPs i.e. match with fail2ban banned IP’s CF Firewall comment entry).
i.e. unban all Cloudflare Firewall banned IPs older than 5 seconds
@eva2000 fail2ban on your hosted server is not really solving the problem like @ray9 hinted, you just creates a new bottleneck.
your fail2ban server will easily fail under big load and then you are back to the same problem
LEMP stack what I am familiar with that’s why. I develop Centmin Mod for performance and scalability as I spent over a decade working for vBulletin forum software and working with some of the largest community forums online to ensure their forums scaled/performed. So took what I learnt and put it into Centmin Mod LEMP stack
Obviously, a lot of those web site/communities leverage the wonderful Cloudflare product/service offerings that definitely help As you know alot of forums do get DDOS attacks so Cloudflare does its part to help
Whoa! I had no idea you where a sysadmin wizardess!
I’ve hosted quite a few PHPBB forums in my days, but never got it to scale well so the past 5 years it’s been NodeBB instead. Considering how far Nginx + PHP have come, I’d expect performance to be pretty much on-par now.