We have been experiencing a DDOS attack on our server for nearly 24 hours since this morning. We initially attempted to counteract it through our hosting provider, but eventually decided to use Cloudflare’s “Under Attack” mode. Unfortunately, this hasn’t worked as expected, as a significant number of requests still bypass the security mechanisms. We have activated all potential country blocks and CAPTCHAs for nearly every visitor. However, this hasn’t resolved the issue since the attack appears to involve bots with dynamic, constantly changing IP addresses. We’ve configured every setting that we, as non-experts, could manage. For a few hours, the attackers stopped, and the website became accessible again. However, during that time, some images on the site were also blocked. Here are our questions: 1. How can we defend against these bot attacks so that they don’t reach the server at all? We have already tried implementing all possible settings. Support advised us to block individual IP addresses, but with 100,000 rotating IPs, some of which make millions of requests, this seems nearly impossible. We were advised to upgrade to the Enterprise plan, as it offers better bot mitigation, but it’s far too expensive for us. Does anyone have a solution or can someone with real expertise assist us? 2. If we manage to mitigate the attack, how can we configure our system to ensure that legitimate files from our website are not blocked in the process?
Furthermore, may I ask if you’ve allowed only Cloudflare IP addresses to connect to your origin host?
Any firewall running from your service provider?
Nevertheless, if it’s only web server, you can install cloudflared tunnel and lock all the ports to not expose them online to the internet, while the website would still continue to work (you can leave only custom SSH port with rate limit configured via iptables or ufw → or see SSH options on the link here: SSH · Cloudflare Zero Trust docs).
Having an real-time antivirus/malware scanner running, knowing what you host and who has the access, you could allow your origin host IP address if needed by adding it directly to the IP Access Rules (see article below), if the requests are somehow coming via cronjob (again?) to the server itself to execute something.
Thank you fritex for your answer. We tried it all , but still we cant solved it. Cloudflare even not reachable and not really to help us , just if we pay an enterprise subcribtions.
You need to do this or requests can go direct to your origin, bypassing Cloudflare, and probably still are as the attack started before you added Cloudflare.
That also shows your origin SSL certificate is invalid, make sure it is valid so you can use Cloudflare’s “Full (strict)” SSL mode so your site is secure.
With a redirect, I can’t see if UAM is enabled at the moment.