I’ve experiencing DDoS attack today and I’ve configured Cloudflare rate limiter, also activated WAF. Cloudflare blocked several hundred thousands request. Unfortunately, my server still experiencing pretty high flood request. I don’t know why it passed Cloudflare, even if I’ve setup rate limiter.
At last I forced to disable Cloudflare proxy and let AWS Web ACL handle it. Did I miss something here? Please help. I really want to use Cloudflare since AWS Web ACL pricing just not suite well with my current financial (small startup).
I use several rule on AWS ACL. Most of the request blocked with AWSManagedRulesAnonymousIpList (60%) and Rate Limiter (40%). As far as I know, AWS ACL (which is part of AWS WAF) works by filtering all request before entering the resource we choose (in my case is load balancer)
Oh, I see; I wasn’t aware they had managed rules on the ACL layer.
I suggest checking the URLs you were given and building the proper CF Firewall rules. I advise using the PRO package for your case to help you follow the second guide in particular.
Given that those two rules worked out for you with AWS, it’s more than likely the attack is following some sort of pattern that you can match using the firewall rules.
FYI I’m on the PRO plan right now. Today is my first experience with CF. TBH I do not setup CF firewall rules at all today, only enabling WAF and rate limiter.
I do know the pattern, but not sure if it is the whole image, since the stats only showing 25%. Any suggestion how to properly set the CF rule? Blocking the request matched a pattern seems not right because targeted URL is just root domain (commonly accessed). Does the captcha challenge will help in here?
TBH I’m concerned if CF blocker really works with this kind of attack…I see from the stats that origin IP of these attacks is so diverse…from 74 countries. So I think that when rate limiter blocked an IP, they just change it with different IP. With a spare of maximum 20req/10s, if they use 100 IP, in 10s they can generate 2000req, etc. But…I wonder how can AWS rate limiter works with the same concept…
…and I will ask one idea of mine…since the country origin of the attack is always outside of my country (ID)…how about setup firewall rule to block all request other than ID whenever the attack start? The attack is always once a day for about 5 hours. Today is 4th day…it is really getting hard.
WAF is mainly useful to block blatantly wrong requests and prevent malicious scans or attempts to break into your system; it’s not useful against DDoS attacks at all.
The second guide should help with this. If you follow it and build firewall rules, feel free to post them and we will let you know our opinion on them.
Captcha challenge stops most malicious requests, it should help.
Cloudflare will block any attack if it’s properly used, there is automated mitigation, but you are at risk of it kicking in or not. In general terms, it’s best to build rules as attacks come in.
Note that this is not a limitation of CF itself; the nature of HTTP attacks makes it impossible to know for a certain what requests are legitimate or not.
That’s the main reason why rate limit isn’t as effective to mitigate DDoS attacks, if the attacker spends enough resources they will get access to more IPs and throttle down the rate at which they fire requests. Matching their pattern is far more efficient.