I migrated to Knowmhost and used cloudflare namesaver after a week my forum is still DDoS attack. I have gotten over 60 million requests hitting my VPS server. Cloudflare under attack mode couldn’t help. I was gotting hit from China and block china country after few minute starting getting Ddos from US. After changing hosting company i wonder how my ip must have been gotten to be DDOS. Emails sent or received in via domain doesn’t display my server IP.
Please whats the best way to permanlty stop this DDOS attack? the attack is being going for over 12 hours and Under Attack Mode not working. I have banned about 5 countries USA, China, India, Brazile and Indonisia.
My DNS are all set to orange cloud icon. And email being set out from my server or domain doesn’t show ip even when there is bounce email. Am still wondering how my new server ip was gotten within 7 days for another attack.
There’s no telling how someone would get your origin IP address, and we really can’t assist with that detective work. But that wouldn’t matter if your server’s firewall blocks all non-Cloudflare traffic by only allowing connections from cloudflare.com/ips
If you think that attack traffic is proxied, but has figured out how to circumvent Under Attack Mode, you could try a Firewall Rule to CAPTCHA challenge all traffic instead.
I will have to upgrade to the pro plan to use waf. Am also following most step on the article posted above. if everything goes well i will give feedback on step taken.
Your hosting provider should be capable of allowing only Cloudflare at their edge. Blocking the connections at your server can do the trick and fool somebody into thinking that maybe it’s not the correct IP; however, rejecting connections on your server isn’t bulletproof as it’s still vulnerable against network-layer attacks (or applications depending on who is dropping the connection).
Upgrades will be rather pointless if you can’t spot how they are getting the backend IP. It would help if you either obscured it properly or isolated the IP only to allow CF connections.
As sdayman pointed out, finding out how they are obtaining your IP requires understanding your setup, the software, the implementation, and pretty much everything. I believe that your system administrator should be able to find out where the problem is quick.
I have contacted my host Knownhost and these was there auto response.
Hello,
This notice is for informational purposes only and no action is required on your part. Responses to this email will not be received.
Your server IP 000.922.111.000 was just hit with a massive incoming DDoS. Your site may be unavailable for a moment or two while our DDoS protection system kicks into action to filter the attack and then you’ll be back in business!
I was glad to see such soft response from them. Because most times when servers are being DDos attack most web hosting would want you to leave.
Though I will upgrade to pro plan and activate WAF and see if that will help.
I wouldn’t count on WAF doing much, if anything. Those are usually for malicious requests to exploit a vulnerability. It (Pro plan) does offer Super Bot Fight Mode, but that tends to break any automated process that a site may need.
When it comes to automatic mitigation (assuming that super bot fight mode remains disabled due to its instability), the HTTP mitigation is similar, if not the same, between all plans.
Only the enterprise package can add an extra step of automatic mitigation, thanks to bot management.
At the same time, it might also carry better DDoS mitigation, but that’s conjecturing from my side as CF does not advertise such.
If you are interested in DDoS mitigation only, the main difference between packages (free to business) is the number of firewall rules you can deploy.
The WAF can help mitigate a small portion of known attacks that follow some patterns. However, it would be best if you didn’t rely on that as it’s likely to disappoint you.
The only other bonus Enterprise offers are bot scores. But like the rest of the Firewall Rules process, it takes fine tuning to get it right. I’m not aware of any “magic wand” at any plan level.
I thought of the “Enterprise DDoS Mitigation”; however, upon reading its description, it seems like the feature is more focused on general availability under DDoS Attacks.
Thanks, i will stick with the free plan and see how it works for now. But unfortunately the free plan doesn’t offer a better Web Traffic Analytics to see the path being hit by the ddos attack.
How are you verifying that? inspecting email source headers would be only way as some email clients hide that info in UI until you inspect the actual email source headers.
I suggest using 3rd party SMTP transactional provider for emails like Amazon SES they are only 1 or 2 email providers I know that actually remove server source IP from email headers.
Send yourself an email from your forums and then view email origin source to do a search for your real server IP. Most likely it’s there as all normal default web hosting server’s email configs won’t be stripping email server source IP unless Knownhost has configured them to do so.
