Query Flooding Attack - Help Please

We are getting hit with a rolling attack throughout the day coming from multiple IP addresses that are dynamic and changing all the time. So it is not really possible to filter the attack by IP.

And the scripts don’t start causing havoc until they actually get on the site. It isn’t a typical DDoS attack where the site is getting flooded by a large amount of IP addresses all at once. So the JS Challenge doesn’t really stop them from causing havoc because they aren’t entering the site and leaving right away. The attack strategy is that once they get onto the site they then stay and start to flood it with repeated queries in order to cripple the responsiveness of the site and eventually causes the site to freeze temporarily.

The two main destructive queries they are sending are:

/favicon.ico
/search.php

One query loads up the site’s favicon over and over and the other query brings up the search command and then the script sends a short gibberish search and then it does a rinse and repeat.

The favicon query isn’t that destructive to site resources it seems and they don’t focus on this query so much. But the search query is the more prominent and prolific part of their attack and is destructive because it constantly consumes site resources by first bringing up the search function and then by sending a second query to run the gibberish search query.

What I am wondering is if we can create some sort of filter rule or firewall rule that states if any IP sends the same query more than 2 or 3 times within a certain specified period of time that the IP then automatically gets blocked for a certain specified period of time.

Is something like that possible at all to set up?

Many thanks for any guidance you might kindly offer.

  1. Try lowering the Challenge Passage Time to 5 minutes in Firewall → Settings
  2. Add a Firewall Rule to CAPTCHA anything that contains to search or favicon
3 Likes

The favicon shouldn’t even be an issue due to caching, that’s odd.

What I am wondering is if we can create some sort of filter rule or firewall rule that states if any IP sends the same query more than 2 or 3 times within a certain specified period of time that the IP then automatically gets blocked for a certain specified period of time.

Yes, this is called rate limit.Rate Limiting | Advanced Network Rate Limiting | Cloudflare UK

It isn’t a typical DDoS attack where the site is getting flooded by a large amount of IP addresses all at once. So the JS Challenge doesn’t really stop them from causing havoc because they aren’t entering the site and leaving right away.

JS Challenge doesn’t allow any connection to reach your server if the challenge isn’t solved, if they are generating a burst of requests and not solving the challenge, then JS challenge will effectively block that attack.
Make sure the attackers aren’t attacking your backend directly.

1 Like

Thank you so so much for your replying so quickly.

  1. I just lowered it to 5 minutes as you suggested. It had been set to 30 minutes. That was the default setting I assume. I hope this will help. Thank you.
  2. I already have a Firewall Rule running as a JS Challenge which is setup as URL Full > Equals > https://mysite.com/search.php

I am not sure if the Firewall Rule I have set is helping though or if it is set correctly. So I have 3 questions please:

  1. Did I actually set the rule up correctly or do the rule parameters need to be something different?
  2. I was actually hesitant to set it to CAPTCHA thinking it would cause too much of a nuisance for false positives so that is why I went with JS Challenge. Does it need to be a CAPTCHA instead of a JS Challenge in order to be really effective though?
  3. I was going to set a rule as https://mysite.com/favicon.ico for the favicon too, but I was worried it might prevent the site favicon from loading normally when someone goes onto the site. Or will this rule not cause any problem with the normal favicon loading?

Thank you again.

I’m not so sure Equals will match a query string, which is why I suggested a “Contains” with just “search” and “favicon”

As favicon isn’t scrutinized, I’d go with a CAPTCHA just to stop the attack. But as @jnperamo said, it should be cache…though I’m not sure what their actual query looks like. If they’re adding random query strings to favicon, the cache might not catch it if it’s set to Standard caching.

1 Like

For the favicon, you might just drop it from the Firewall Rule and add a Page Rule instead to match favicon* and set Caching to Ignore Query String.

1 Like

Thank you so much again. I changed the Firewall Rule to URL Query String > Contains > search. Is that now correct?

Also, can I stick with JS Challenge instead of CAPTCHA for this Firewall Rule on searches? I hope this can work because I am just really hesitant to force every site visitor to have to do a CAPTCHA for every search since we get a lot of legitimate searches.

For the favicon I did as you instructed. I set a Page Rule set to www.mysite.com/favicon* and I set Caching to Ignore Query String. I am not sure I fully understand what this does, but tI am just happy if it works and doesn’t effect normal loading of the favicon.

No. Just URI Full should catch it.

If everything else (including Rate Limiting) slows the attack enough, JS Challenge should be ok.

1 Like

Thank you again.

OK, now I have URL Full > Contains > search, good?

Great, I will stick with JS Challenge for now and see how it goes. Hopefully with rate limiting it slows the attack enough as you said. If it doesn’t then I can always try changing it to CAPTCHA later.

By the way, when I went into Page Rules I noticed I already had a page rule as follows, but it is disabled:

www.mysite.com/*
Cache Level > Bypass

Should I enable that too?

Leave it disabled.

1 Like

Well noted, thank you.

Just want to make sure the Page Rule I set for favicon isn’t going to prevent normal loading of the favicon on the site?

That Page Rule won’t interfere with favicon.

1 Like

Great, thank you. So I will let it run for 24 hours and monitor it and see how it goes. If I still have issues I will update this thread again. Thank you kindly.

1 Like

You were right, I needed a Firewall CAPTCHA rule for anything that contains search or favicon. The JS Challenge won’t work because the script can eventually get past the JS Challenge. Plus I believe a script would only be hit with a JS Challenge on the first query anyway. But the script shouldn’t ever be able to get past the CAPTCHA. So that does seem to be the best solution as you suggested.

What I did though was also add in a condition to the rule that the queries for search and favicon must be accompanied by certain user agents that have been identified in the attack. This way it will hopefully reduce the number of false positives that trigger the CAPTCHA.

Thanks again.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.