Rate Limiting / Brute Force Help


Today I experienced a large brute force attack on a login page (not wordpress) and I have enabled “Under Attack” mode as well as Rate limiting. Unfortunately as I am on the free plan, I don’t have access to a all of the DDOS tools.

The attack appears to be ongoing and so far within the last 6 hours I have had 107,465 hits.

I have configured rate limiting to “5 requests per 1 minute, Block for 1 hour”

I am curious to know the following:

  1. How can I get a view of when the attack is stopped?

  2. How can I understand the potential cost of the rate limiting? I’ve read the documentation and I understand that I only get charged for “good” traffic - so how does CF determine what is good traffic? I normally get a few hundred genuine visitors a day…

The Analytics > security shows the following

Which URL you are matching to enforce rate limiting? Is it only the login page? Or your whole website?

If the traffic rate is within the constraints of the rate limiting rule that you configured, it is considered as good traffic (e.g. based on your rule, 5 requests within 1 minute)

1 Like

Yes just the login page.

Do you think that rate limit is good, or is it too generous? Perhaps I should tweak it?

I think the billing is not a concern since you just protect your login page. Based on your rate limiting configuration there will be only 5 requests maximum within 1 minute that your visitor can make, any extra request will be blocked by Cloudflare - and you will not get charged by those rate limited requests.

Thanks for your help, I appreciate it. Traffic has gone back to normal loads now :wink:
All the best

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.