Http request flood

Hi all,

I have website with lot of visitors but since few weeks, some days, i’m facing some Http request flood attacks. I have subscribe the pro plan from Cloudflare for try to prevent that but it’s useless. I have checked here : https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/ then it say we can prevent that by enabling the cloudflare WAF in the pro plan. So I did and the result is the same. Here too they made ads for prevent that : https://www.cloudflare.com/ddos/ . So I dont understand, it’s useful to subscribe a Pro plan for prevent that ? Or maybe there’s some rules to configure that I ignore. Can you help me for that ?
I have also tried to put a rate limit on my HTTP server (apache2) but It’s totally useless because the IP is replaced by Cloudflare IPs and I’m afraid of the performance issue to block directly on Apache or on a reverse proxy instead of iptables or fail2ban. And because I cant rate limit on iptables too because it’s the real IP of the client (it’s the client) IP. So I’m a bit lost… Have you some advices ?

Thanks by advance.

Hi @Meviko,

From the Cloudflare page on DDoS you linked to, I quote:

Mitigating application layer attacks is particularly complex, as the malicious traffic is difficult to distinguish from normal traffic.

Confronting a flood attack can be confusing and requires patient and diligent work. The first thing you’d need to make sure is whether the requests are coming through your domain (and therefore via Cloudflare) or directly hitting the origin server via IP address.

For those requests coming through Cloudflare, you can use different Cloudflare tools that match specific patterns. You’d need to first identify those patterns on your origin server access logs.

For instance, if most of these “flood requests” are after you login page, you can create an Access Polity limiting access to that page to a certain IP address or to users authenticated via email address.

If the requests are coming from a pool of IP addresses (you can check the real IP address by installing mod_remoteip), you can use IP Access rules to block these IPs or their ASN. Likewise, you can create User Agent Blocking rules to block or challenge specific UAs.

But perhaps the most flexible tool available are the Firewall Rules, which can combine any number of parameters to block, challenge or allow visitors.

If you share a sample of your server access logs with lines identifying the undesirable requests, or otherwise give more detail on the attack patterns, volunteers here in the community forum will hopefully be able to provide specific tips on how to handle the situation.

1 Like