Recently, one of my domains got targeted by HTTP fuzzing. In the span of around 10 hrs, a single IP made around 2.5 million requests (as recorded by Cloudflare) all of which hit my origin. The ‘Security Level’ of that domain was set to ‘Medium’. A significant portion of the requests were obviously malicious with command line/SQL injection fragments randomly put in different parts of the requests. However, Cloudflare did nothing to stop the attack and I had to manually blacklist the IP under ‘Access Rules’.
Is this the expected outcome of a medium security level? What attack scenario does it defend against? I would expect 2.5m malicious requests from a single IP to trigger something.
What would have happened if I subscribed to Cloudflare WAF? Would it allow all requests that did not match any rules or would it automatically ban the IP after it triggered a certain number of rules?