I'm under DDOS Atack

firewall

#1

Im getting hundreds of millions DDOS request on special page (Access logs per day -10GB).
All requests only on one page domainname/search
That page domainname/search* - doesn’t exist any more on the website.

I have used Firewall Rule for url that contains /search (http.request.uri contains “/search”)
All pages that contains domainname/search* are blocked successfully
But In Tomcat access logs I see the attack on that page still continues
I tried - “I’m under attack” too - Doesn’t not help
Somebody please help me to stop it. Maybe you know how to protect from this threats.
Would be appreciated any help.

Bellow example of such requests
"
172.69.198.17 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
108.162.221.74 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.68.189.68 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.69.134.166 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
108.162.238.96 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.34.59 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.34.161 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.154.32 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.63.125 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.68.59.151 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.126.29 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
173.245.52.116 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.123.194 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.68.34.5 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.68.59.151 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.214.29 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
108.162.212.216 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.69.71.25 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.69.68.94 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
172.69.135.155 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.126.59 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.58.40 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
173.245.48.238 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.75.89 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.78.167 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
173.245.52.116 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.63.77 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
197.234.242.173 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
141.101.99.90 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
108.162.219.53 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.75.77 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
162.158.63.125 - - [30/Jan/2019:11:59:58 +0000] “GET /search HTTP/1.1” 301 5
141.101.99.90 - - [30/Jan/2019:11:59:59 +0000] “GET /search HTTP/1.1” 301 5
162.158.154.32 - - [30/Jan/2019:11:59:59 +0000] “GET /search HTTP/1.1” 301 5
"


#2

If “I am under attack” does not work I’d first check if these requests really come through Cloudflare. If they do not there is a different issue. However considering all IPs point to Cloudflare that would suggest the requests do come through Cloudflare (and that you do not rewrite IP addresses :slight_smile:)

Alternatively you could also create a firewall rule, but “I am under attack” should still work nonetheless


closed #3

This topic was automatically closed after 14 days. New replies are no longer allowed.