Idea: A page rule to disallow HTTP Methods - Avoid POST DOS


#1

Hi all,

I just had my site attacked by a DOS approach where they slowly sent me a bunch of 400GB POSTs to a random non-404 URL on my server. I think they were sent simultaneously and slowly in an attempt to run me out of disk space. It did not work, but got me thinking about a page rule to basically disallow certain methods. The obvious filter would be like:

example.com/static/* disallow POST,PUT,DELE

I think this would be low cost for CloudFlare to implement - would save storage and bandwidth everywhere, make the POST big files DOS much less fun.

Yes, I can do this with .htaccess files littered throughout my application - but it seems like a nice idea for a page rule.


#2

Sorry to hear you experienced an attack. There are actually a few ways that you can achieve this today, namely:

  1. (Pro+) The Web Application Firewall has a rule (100040) which blocks POST requests to /
  2. (Biz+) A custom Web Application Firewall rule can be requested which blocks POST requests to a specific URI
    2.1. Information on requesting a custom rule: https://support.cloudflare.com/hc/en-us/articles/200172026-What-kind-of-requests-does-the-WAF-work-on-
  3. (All) A Rate Limiting rule which blocks or challenges POST requests to a specific URI when they send more than X requests
    3.1. Information on implementing a Rate Limiting rule: https://www.cloudflare.com/rate-limiting/

If you have any questions about the above, or run into any issues, let us know and I am sure either myself or someone else can help you achieve what you are looking to do!