I am being attacked

weblectulandia · December 14, 2020, 7:32pm

One of my site is being attacked and the atack goes througth cloudflare network without being treated as suspicious activity.

How I know that is going throught cloudflare?
Looking at the information tab of my domain (here in cloudflare), I have normally 30K-100K request per hour depending on the hour, when the site is being attacked I could see more than 4 millons reques per hour registered here.

The “under atack” mode does not mitigate this either.
At first I have created a rule to block the countries from where the traffic was being originated, but after a few hours it seems that the atacker has updated his method and that does not work anymore.

The atack consist on thousands of requests to my dynamic urls.
Examples:

search/{randomString}
wp-loguin.php?redirect_to={randomString}
wp-admin/admin_ajax.php

The only thing that is working is blocking the atacked urls altogether on NGINX.

How is that kind of trafik going throuth Cloudflare?

Yes, I am on a free plan, but I am willing to upgrade to a PRO plan if this kind of attacks are blocked.

brian · December 14, 2020, 10:13pm

One thing you could do is rename the WP login url. That will immediately stop bot attacks targeting the default login url. Use a plugin like WPS Hide Login.

weblectulandia · December 14, 2020, 10:18pm

Thakyou for your reply brian, but that will not help

This is a targeted atack (and I suspect on who is doing it, the owner of another site), not a random one.
Every time I block a resource the atacker change the url that is hitting.
I can see this reflected on the logs…

brian · December 14, 2020, 10:20pm

Are you able to identify the abusing IPs?

weblectulandia · December 14, 2020, 10:26pm

Yes, as I said the trafic is coming throught cloudflare, I have set NGINX so it takes the correct ip of the visitors and put in place rules to throtle the traffic (this is not helping too much) but on the logs I have a continuos stream of different IPs that are hiting the rules.

There are many different IPs and they stop for some minutes and start again from different countries.

So, it is not feasible to disallow the ips, I am suspecting that the atacker is using some sort of paid service to conduct the atack.

brian · December 14, 2020, 10:35pm

If you upgrade to Pro you’ll get more specific help but it may or may not be fast as sometimes it takes 24 hours to get a response. But you also get more in depth security controls on the Pro plan vs Free.

jnperamo · December 14, 2020, 11:29pm

The “automated” layer7 mitigation is the same on all plans, I would say that even on the enterprise plan it’s the same or very similar.
Cloudflare rather aims to give you the tools to mitigate the attacks yourself since a “1 generic firewall for all internet” when it comes to layer7 does not exist because what you consider a DDoS might not be an attack for client b.
Some enterprise competitors solve this by allowing you to “train” the firewall and then upon DDoS attack, it can detect and mitigate them, however, those solutions are pricy.

You could look into the business plan, you have more page rules and technical live chat that could help you tune the rules.

system · January 13, 2021, 7:32pm

This topic was automatically closed after 30 days. New replies are no longer allowed.