Looks like firewall rule is not working

I have rule that’s is blocking requests from China and Russia. But since today 11PM I am under a heavy request from Russia. Even though I block them.

Even the unique visitors went up 4.5k from 130 CF did not block thread them as DDos attacks.

I enable under attack mode but it did not solve the whole problem.

Please below images and let me know if there is any thing else I can do.

RequestSuddenJump

Have you locked down your origin’s firewall to only accept connections from Cloudflare?

If you have explicitly added a block rule in the firewall, there is no way for them to bypass it short of using an IP that isn’t associated with Russia.

I cannot edit the post so replying instead. below you can see my firewall rules to block China and Russia.

Do you have an example of the access logs on your site where the attack made it to your origin?

I did not lock down origin server. but from the stats it is obvius it is coming through Cloudflare is not it? otherwise it wont be in the CF stats. visitor/request count as well as cached data jump dramatically.

You are looking at a page which shows requests. On the firewall page there are stats on what is done with those requests… what does it show?

1 Like

Thanks for the reply,

I have to mentione until 11pm yesterday everything was fine no huge amount of requests etc. Rule seems to be working correctly.

As you can from the stats for 2 hours there was a huge request 4.5k uniqu visitors and 2.5m requests per hour servered by the CF and definatly hit to origin server please see the jump in data served and cached.

Also the stats for the rule is below which support above number as there are 2.6m blocked trafic from the WAF. (sorry could not find more detailed stats for that)

To me there can be 2 problem.
1- There was a temp issue with the WAF that the requests did not get blocked from Russia
2- And assume the attack was not from Russia or China (the stats says otherwise) then the CF system needs to block that huge requests jump as an attack and block from any country actually.

But I believe only Cloudflare people will able to tell what actually happened.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.