So I got the pro plan, turned the WAF on with browser check - however a layer 7 attack from a web stresser still dropped the site. The only thing that stopped it was rate limiting which gets expensive on a forum using web sockets and constant legit requests. Anything I can do to reduce the cost since I’m on pro plan already?
As I side note, can I disable rate limiting on a certain file type (like unlimited .png requests since Cloudflare caches them anyways - the first user to request all emojis list gets banned by rate limiting for requesting too many images at once (1000s of images), any way to get around this?)
We are going to clear up the wording at little. The Unmetered Mitigation doesn’t guarantee that your site won’t go down, but does offer the assurance that your account won’t be terminated or charged simply for being the victim of an attack. In reality we will do our best to mitigate everything anyway.
You can’t disable rate limiting against only a certain file type. You can by method type (GET, POST, etc) or by URL with wildcard.
You should be able to bypass by URL with a wildcard, and put all the files into the same directory.
Support helped me create a page rule that disables security for the images folder and enables cache everything so a request flood of previously uncached files in the images directory shouldn’t have a big impact if at all (sosphicated attack too!).
As for pro plan now. Is unmetered the same as advanced ddos protection as for business? I.e. are you giving pro customers the same layer7 that previously only benefited business and enterprise?
Our systems effectively treat PRO and BIZ the same with regard to a Level 7 attack, however there are some features (like WAF or RL) that can do more to keep your site online. And some features are only available at higher levels.
Unmetered Mitigation is not a guarantee that your site will not go down, but is instead a promise that you don’t have to worry about being terminated or charged because someone attacked you.
I know railgun is business only, but I have the WAF available on my pro plan, it’s enabled using the rulesets I need and makes me and my users feel a bit safer knowing malicious requests won’t be passed to the server.
As for unmetered mitigation my primary past concern is that you guys will suspend me and I’ll have to call Uniregistry (there is an admin lock on my domain name requiring phone verification with compliance before making any changes to the domain) on the phone to unlock my account, update nameservers, lock again so changes are saved. Rate limiting has literally stopped every ddos attack that your filters did not catch, it’s a bit expensive at times, but it’s a good last resort.
Are their any WAF rules you recommend enabling to further fight HTTP Floods?
You won’t have to worry about that anymore. Unmetered Mitigation means we won’t suspend you over an attack. It’s what we called FINTing…and we won’t do it anymore. Matthew described it in his blog post.
End of the FINT That said, from our early days, we would sometimes fail customers off our network if the size of an attack they received got large enough that it affected other customers. Internally, we referred to this as FINTing (for Fail INTernal) a customer.
As far as other WAF rules, there are too many variances to have general “recommendations”, but if you experience an issue it’s a good idea to contact support so they can review the traffic and make suggestions.
Alright, the only types of attacks I’ve had trouble with are from web stressors that can bypass browser check and send HTTP Floods to the site. Rate limiting blocks it most of the time without any adjustments but it’s an expensive solution and a bandaid at best. Cloudflare’s help with other mitigation tactics would be appreciated.