Need Help with DDOS Attack: Bot Protection and Server Security Solutions

What is the name of the domain?

example.com

What is the issue you’re encountering

We have been experiencing a DDOS attack on our server for nearly 24 hours since this morning. We initially attempted to counteract it through our hosting provider, but eventually decided to use Cloudflare’s “Under Attack” mode. Unfortunately, this hasn’t worked as expected, as a significant number of requests still bypass the security mechanisms. We have activated all potential country blocks and CAPTCHAs for nearly every visitor. However, this hasn’t resolved the issue since the attack appears to involve bots with dynamic, constantly changing IP addresses. We’ve configured every setting that we, as non-experts, could manage. For a few hours, the attackers stopped, and the website became accessible again. However, during that time, some images on the site were also blocked. Here are our questions: 1. How can we defend against these bot attacks so that they don’t reach the server at all? We have already tried implementing all possible settings. Support advised us to block individual IP addresses, but with 100,000 rotating IPs, some of which make millions of requests, this seems nearly impossible. We were advised to upgrade to the Enterprise plan, as it offers better bot mitigation, but it’s far too expensive for us. Does anyone have a solution or can someone with real expertise assist us? 2. If we manage to mitigate the attack, how can we configure our system to ensure that legitimate files from our website are not blocked in the process?

What is the current SSL/TLS setting?

Full

Sharing an article with updates:

Furthermore, may I ask if you’ve allowed only Cloudflare IP addresses to connect to your origin host? :thinking:
Any firewall running from your service provider?

Nevertheless, if it’s only web server, you can install cloudflared tunnel and lock all the ports to not expose them online to the internet, while the website would still continue to work (you can leave only custom SSH port with rate limit configured via iptables or ufw → or see SSH options on the link here: SSH · Cloudflare Zero Trust docs).

Having an real-time antivirus/malware scanner running, knowing what you host and who has the access, you could allow your origin host IP address if needed by adding it directly to the IP Access Rules (see article below), if the requests are somehow coming via cronjob (again?) to the server itself to execute something.

Hope above helps at least a bit.

Thank you fritex for your answer. We tried it all , but still we cant solved it. Cloudflare even not reachable and not really to help us , just if we pay an enterprise subcribtions.

What is the domain?

Your origin is allowing connections from IP addresses other than Cloudflare…

curl -svo /dev/null https://lizenzguru.de --connect-to ::136.xxx.xxx.xxx
* Connecting to hostname: 136.243.233.117
*   Trying 136.243.233.117:443...
* Connected to 136.243.233.117 (136.243.233.117) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [318 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [25 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2839 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=k87c86.meinserver.io
*  start date: Dec 12 20:06:44 2024 GMT
*  expire date: Mar 12 20:06:43 2025 GMT
*  subjectAltName does not match host name lizenzguru.de
* SSL: no alternative certificate subject name matches target host name 'lizenzguru.de'
* Closing connection

As @fritex said…

You need to do this or requests can go direct to your origin, bypassing Cloudflare, and probably still are as the attack started before you added Cloudflare.

That also shows your origin SSL certificate is invalid, make sure it is valid so you can use Cloudflare’s “Full (strict)” SSL mode so your site is secure.

With a redirect, I can’t see if UAM is enabled at the moment.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.