Medium security level did not protect my origin from obvious HTTP fuzzing


#1

Recently, one of my domains got targeted by HTTP fuzzing. In the span of around 10 hrs, a single IP made around 2.5 million requests (as recorded by Cloudflare) all of which hit my origin. The ‘Security Level’ of that domain was set to ‘Medium’. A significant portion of the requests were obviously malicious with command line/SQL injection fragments randomly put in different parts of the requests. However, Cloudflare did nothing to stop the attack and I had to manually blacklist the IP under ‘Access Rules’.

  1. Is this the expected outcome of a medium security level? What attack scenario does it defend against? I would expect 2.5m malicious requests from a single IP to trigger something.

  2. What would have happened if I subscribed to Cloudflare WAF? Would it allow all requests that did not match any rules or would it automatically ban the IP after it triggered a certain number of rules?


#2

The Cloudflare WAF blocks requests that match certain rules, but request that don’t trigger a rule get through. The WAF does not automatically ban IPs after they trigger a certain rule. Those requests are simply dealt with in the manner you configured in the WAF (like block, challenge, etc).

(The answers to your other questions I don’t know, sorry.)


#3

This topic was automatically closed after 14 days. New replies are no longer allowed.