My website is DDos attack - Under Attack Mode not working

I migrated to Knowmhost and used cloudflare namesaver after a week my forum is still DDoS attack. I have gotten over 60 million requests hitting my VPS server. Cloudflare under attack mode couldn’t help. I was gotting hit from China and block china country after few minute starting getting Ddos from US. After changing hosting company i wonder how my ip must have been gotten to be DDOS. Emails sent or received in via domain doesn’t display my server IP.

Please whats the best way to permanlty stop this DDOS attack? the attack is being going for over 12 hours and Under Attack Mode not working. I have banned about 5 countries USA, China, India, Brazile and Indonisia.

Please help.

Try going through the suggestions in this Tutorial:

5 Likes

Maybe someone before you got the same IP address which was given to you (VPS), and that could be only one reason.

May I ask have you analyzed them? Are they from Cloudflare IP ranges or not?

Furthermore, I would suggest reading and applying from below two posts:

3 Likes

If you still need help after checking out those articles, I’d suggest giving us the following information:

  1. Cloudflare Plan that you currently have.
  2. All the logs and Cloudflare analytics that you have (especially from the WAF section).
1 Like

My DNS are all set to orange cloud icon. And email being set out from my server or domain doesn’t show ip even when there is bounce email. Am still wondering how my new server ip was gotten within 7 days for another attack.

May I ask have you already contacted your hosting provider and pointed out about this issue too?

There’s no telling how someone would get your origin IP address, and we really can’t assist with that detective work. But that wouldn’t matter if your server’s firewall blocks all non-Cloudflare traffic by only allowing connections from cloudflare.com/ips

If you think that attack traffic is proxied, but has figured out how to circumvent Under Attack Mode, you could try a Firewall Rule to CAPTCHA challenge all traffic instead.

2 Likes

I will have to upgrade to the pro plan to use waf. Am also following most step on the article posted above. if everything goes well i will give feedback on step taken.

x100 this.

Your hosting provider should be capable of allowing only Cloudflare at their edge. Blocking the connections at your server can do the trick and fool somebody into thinking that maybe it’s not the correct IP; however, rejecting connections on your server isn’t bulletproof as it’s still vulnerable against network-layer attacks (or applications depending on who is dropping the connection).

Upgrades will be rather pointless if you can’t spot how they are getting the backend IP. It would help if you either obscured it properly or isolated the IP only to allow CF connections.

As sdayman pointed out, finding out how they are obtaining your IP requires understanding your setup, the software, the implementation, and pretty much everything. I believe that your system administrator should be able to find out where the problem is quick.

2 Likes

I have contacted my host Knownhost and these was there auto response.

Hello,

This notice is for informational purposes only and no action is required on your part. Responses to this email will not be received.

Your server IP 000.922.111.000 was just hit with a massive incoming DDoS. Your site may be unavailable for a moment or two while our DDoS protection system kicks into action to filter the attack and then you’ll be back in business!

I was glad to see such soft response from them. Because most times when servers are being DDos attack most web hosting would want you to leave.

Though I will upgrade to pro plan and activate WAF and see if that will help.

I wouldn’t count on WAF doing much, if anything. Those are usually for malicious requests to exploit a vulnerability. It (Pro plan) does offer Super Bot Fight Mode, but that tends to break any automated process that a site may need.

https://support.cloudflare.com/hc/en-us/articles/200172016-Understanding-the-Cloudflare-Web-Application-Firewall-WAF-

3 Likes

From your point of view do you think the free plan will block DDos Attack?

When it comes to automatic mitigation (assuming that super bot fight mode remains disabled due to its instability), the HTTP mitigation is similar, if not the same, between all plans.
Only the enterprise package can add an extra step of automatic mitigation, thanks to bot management.

At the same time, it might also carry better DDoS mitigation, but that’s conjecturing from my side as CF does not advertise such.

If you are interested in DDoS mitigation only, the main difference between packages (free to business) is the number of firewall rules you can deploy.
The WAF can help mitigate a small portion of known attacks that follow some patterns. However, it would be best if you didn’t rely on that as it’s likely to disappoint you.

3 Likes

The only other bonus Enterprise offers are bot scores. But like the rest of the Firewall Rules process, it takes fine tuning to get it right. I’m not aware of any “magic wand” at any plan level.

3 Likes

I thought of the “Enterprise DDoS Mitigation”; however, upon reading its description, it seems like the feature is more focused on general availability under DDoS Attacks. :thinking:

2 Likes

Thanks, i will stick with the free plan and see how it works for now. But unfortunately the free plan doesn’t offer a better Web Traffic Analytics to see the path being hit by the ddos attack.

Personally, I’d upgrade to Pro just for that Web and Cache analytics dashboard data to further diagnose where traffic is coming from and you get higher quotas for stuff like Firewall rules, Page rules and Transform rules https://developers.cloudflare.com/rules/transform#availability which can come in handy for some forms of layer 7 application level HTTP attacks. i.e. modifying the incoming HTTP request URI/query strings https://developers.cloudflare.com/rules/transform/url-rewrite/examples or HTTP headers https://developers.cloudflare.com/rules/transform/request-header-modification/examples

3 Likes

How are you verifying that? inspecting email source headers would be only way as some email clients hide that info in UI until you inspect the actual email source headers.

I suggest using 3rd party SMTP transactional provider for emails like Amazon SES they are only 1 or 2 email providers I know that actually remove server source IP from email headers.

2 Likes

I only verified if bounced email doesn’t contain IP. Thanks for the information.

Send yourself an email from your forums and then view email origin source to do a search for your real server IP. Most likely it’s there as all normal default web hosting server’s email configs won’t be stripping email server source IP unless Knownhost has configured them to do so.

2 Likes