Images not loading during DDoS attack

There has been a major DDoS attack on my local news website for over a week. This has resulted, among other things, in the number of post impressions reaching up to a million, when previously there used to be 10-20 thousand.

The website and server are located in Poland. Most of the fake traffic during the DDoS comes from Poland and the USA.

The ‘I’m under attack’ mode did not help at all in reducing harmful traffic. It only negatively affected the access of known bots to the site.

I have a paid Cloudflare subscription and in WAF I have set up “managed challenge” for the countries from which users come most often.

I’ve managed to reduce about 60-70% of the artificial traffic, but problems also arise from this:

  • Facebook and Instagram often cannot fetch the image correctly given in OG tags (og:image).
  • Users complain that only some images load on the site (it seems that the more often someone visits the site, the more images they see).
  • High CSR (Challenge Solved Rate) in firewall rules (WAF section) for traffic from Poland, the most important users.

I found the “Rate limiting rules” very helpful, which I set for all hostname requests with a rate of 4 requests per 10 seconds.

  1. Why images not loading? Setting the higher value for “Rate limiting rules” helps a little, but causes massive attacks.
  2. What else can I do to limit the fake traffic?

WAF:

Few notes:

  1. Consider moving the firewall rule that allows known bots to the highest priority (1).
  2. Remove the Facebook crawler rule, attackers can spoof the user agent and bypass all the other rules you built.

This is not expected behavior; UAM should never block or challenge known bots, do you have any evidence to show this? Any ray id or similar?

Most likely getting challenged by rate limit I’d say. When loading sites (especially if you have images), its very likely that visitors are going well above 4 requests per 10 seconds.

Can you post the WAF Overview graphs as well as summaries?

Also; consider checking this guide:

1 Like

Thanks a lot, jnperamo.

I can only say with or without UAM the traffic is the same.

I don’t know if it matters, but it seems that the harmful traffic comes from mobile phones and is dependent on the time of day. It’s lower at night and in the morning, so when people aren’t using smartphones because they’re sleeping, the harmful traffic doesn’t occur. Could this be an attack carried out by malicious mobile apps or is this pattern quite normal?

Regarding the images. Is this worth to apply?

Thanks for the tutorial, I will follow.

Please find the below WAF Overview graphs and summaries.

Worth giving it a shot :ok_hand:

Awesome, can you also expand some of the logs that have as “action taken” either managed challenge or block?

Events summary (CSV) is available to download here: https://we.tl/t-TfbAvhoT0f

Hope this is what you have asked for.

So if your site loads all the images from the same hostname a typical webpage is going to include dozens of requests to load all of the assets anything after the first 4 would be blocked. So you’re probably blocking js and css files as well.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.