Hello,

I am sorry if this post should go under “uncagegorized” or not… as I am unsure. Please move it to applicable forum if it is so…

Scenario: We have a website that was targetted by attacker using SYN flood on port 80 and 443. The attacker targetted our server and the server load spiked. The attacking IP’s were random and from different countries and network

We implemented Cloudflare and enabled “Enabled Under Attack Mode”. Still he was able to target our website and we were noticing the traffic coming in to our server through Cloudflare IP’s and overloading server.

Finally we managed to find that the attacker was hitting us while targetting packet length value. We restricted the packet length in firewall and attack seem to hve mitigated.

So my question is, why Cloudflare was not able to mitigate the attack from so many IP’s. How was he managing to bypass Cloudflare?

Is there any CF setting that I can do to prevent such attacks in future?

I’m surprised it reaches your server at all. Those connections should never get past Cloudflare.

You’ve configured your firewall to restrict connections to only cloudflare.com/ips?

https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

Personally, I do not think they go past Cloudflare, anything that is not HTTP/S won’t be treated as a valid connection and therefore it will be absorbed by the infrastructure, there must be some sort of confusion here.

This topic was automatically closed after 30 days. New replies are no longer allowed.