Our small business IP was shutting down our website because of DDoS. I redirected the URL thru Cloudflare, and turned on “Under Attack” switch. But we’re still getting thousands of DDoS hits, and the IP has again shut down our website. Isn’t Cloudflare supposed to throttle or block repeated pings from the same IP address(es)?
What should I do? Is there a way to block any IP address that tries to access our website more than once, say, 5 times per minute? I’m completely lost here, and our site is down. Thanks for helping.
Was the site working with SSL prior to adding it to Cloudflare?
Make sure your origin only allows requests from Cloudflare IP addresses by blocking everything else at your firewall. If the attack was in place before using Cloudflare that may be the attack route and Cloudflare can’t protect you against requests that don’t pass through Cloudflare.
Under Attack Mode will challenge all requests to your site so should block the attack requests.
There is rate limiting, features are limited on the lower plans…
Follow this guide for fine tuning protection against a DDoS attack…
Today we were under attack again, and for some reason Cloudflare was not blocking the attacks. Tens of thousands of pings coming from various IP addresses. Our host shut down our site again, and said “you need to ask Cloudflare why they are not blocking these attacks.” They also said, “when we blocked one address, they came at us with another address”. Maybe we need more robust Cloudflare protection? Should we get a paid Cloudflare account? I’m completely at a loss.
Did you do anything I suggested above? What did you do and what was the result?
Do you really mean “pings”, as in ICMP? If so, Cloudflare only proxies HTTP/S traffic (unless using Cloudflare Spectrum) so ICMP traffic cannot be coming via Cloudflare and must be going direct to your origin, so that’s where you would need to filter those.
Thanks. It’s HTTP/S traffic. And it appears that the DDoS was coming in thru the website IP address itself, not just the website URL, which is why Cloudflare didn’t see it. The IP address was publicly-listed in the host’s DNS information. We just changed the website IP address and made it private, so in theory the attacks must now come in via URL. And this appears to be the case. As of about 6 hours ago, Cloudflare shows hundreds of requests per hour, and Cloudflare is properly throttling access to the website. This all started on Dec 11, and continues to this day, almost a month, on and off. Why would someone be doing this to a small business that makes a niche audio product? Why would someone be wasting their time (and probably budget) on this? I’m baffled.
I am afraid bots doing their thing, scanning, vulnerability probing, crawling for no reason and more kind of bad behaviour type of actions which creates such mess on the public Internet without our knowledge, especially if we’re not taking into the account the daily tracking and looking into our analytics and log files. It’s a cheapest way for those who have the money to invest into such actions and things, then wait for months to attack and do some harm.
Looks like the attackers simply went thru all the web host’s IP addresses until they found our private IP and started their attack again (145,000 requests in just a few hours). The web host has shut us down, probably permanently. They said we need a dedicated host that can give us a permanent IP address that can be exclusively routed thru Cloudflare (or other protection node). I’m thinking that, even with Cloudflare, they could still continue to disrupt and throttle our site. What a strange world.
You’d have to track & trace Security Events at Cloudflare dashboard and Analytics. Therefrom configure your WAF rules to catch those kind of type of requests to continue working normally even under a constant attack. Block ASNs with IP Access Rules.
The linked articles from first post are helpful.
Lately, I’ve had a case like that, rotating IPs for same request (3 max) on a Free plan:
From the sound of it, you need to switch hosts for a different reason: your current host either doesn’t care, is incapable, or is incompetent.
There are two roads to your mansion… domain and IP address. Cloudflare only protects the domain by default. Attackers can still come in through the IP, unless you protect this road as well as previously mentioned.
If you have a shared IP (ie shared hosting), there’s nothing you can do on your own to protect the shared IP – and it’s your hosting provider’s responsibility to protect their infrastructure.
Even with a standard VPS or dedicated server, if a massive attack is hitting the server’s IP directly, there’s only so much your little server can do to block such requests before melting down. (Aside: “145,000 requests in just a few hours” is not so much, by the way.)
The better solution is to block the requests at the more powerful and capable perimeter/cloud firewall provided by the host… if they do provide this… so that the requests don’t even reach your server at all.
Again, might be time to switch hosts. And no, you don’t need dedicated routing to Cloudflare for a measly “145,000 requests in just a few hours”.
We decided to migrate the site to Amazon AWS Lightsail + Cloudfront security. This is a dedicated virtual server, not a shared server, with our own hidden IP address. I’m told by Amazon that we should have no issues with DDoS on their server. They also said that their DDoS protection is “as good as” Cloudflare, so we probably don’t need to point our DNS to Cloudflare. Sounds too good to be true, but we shall see.