Rate limiting failed - configuration wrong?

We’ve got a rate limiting rule set up to prevent automated signups to our webapp.

It’s set to 5 requests per 10 seconds, block for a day on a specific endpoint (it was set to an hour, I’ve just updated it to a day).

Today someone managed to get through this and the rate limiting only triggered 727 times whereas the total traffic was >250k requests.

All from one IP - once we blocked the IP in the firewall the traffic stopped but the whole point of the rate limit rule is to do this for us based on the rule.

Are there any common failure points or things I need to consider when setting this up to make sure it works properly? In my limited testing it’s working, but it’s obviously failing at some point.

It’s a Cloudflare Business account.

Any help appreciated,

Thanks

1 Like

To confirm, have you set up your origin web server(/load balancer) to either:

A) only accept traffic from Cloudflare IPs

B) set up authenticated origin pull

Also, do you have a ‘default’ vhost so that your web server only replies when the SNI/Host header is the real one for your website? If not, someone could set up a rogue Cloudflare domain, point it to your IP, and access your website without incurring your own CF zone’s security rules.

Finally, are these traffic statistics from the Cloudflare dashboard?

1 Like

Hi,

A) Yes, the whole domain is behind cloudflare

I’ll check the vhost thing - I’m pretty sure we do, but it’s worth double checking.

Yes, the stats are from Cloudflare’s dashboard but our own internal stats show hundreds of signups that “got through” - I’m still checking into the details.

Given the Cloudflare firewall stopped the traffic instantly seems t suggest we’re adequately protected behind CF

It also needs a local firewall to block any traffic not coming from the IP addresses in that list.

2 Likes

Yes, which option did you do? Either B, which is part of the TLS config on your server, or A, which is a firewall on the server/firewall on the network that blocks traffic from IPs not on the list.

1 Like

Option A.

But to be clear, I don’t think there’s a failing of our cloudflare config here - Cloudflare stopped the traffic as soon as we manually added the IP to the cloudflare firewall so the traffic was definitely coming through CF rather than direct to the origin server(s).

Are there cicrumstances that’d cause a rate limiting rule to fail like this or is there a way to set up the CF firewall to block traffic from a certain IP if that triggers a rate limit rule?

I’ve logged a ticket with more information to Cloudflare with number 2262694

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.