I’m using Rate limiting but i found out someone are using rotating ip address to stealing my data, their ip are changing every request even their ASN are changing too.
I can’t using anti-ddos, captcha, js challenge because i’m working on API, i also using End to End encryption too but the key was leak on browser i’m trying to change many time and update obfuscation level but after a few day those hacker still find the the way to get new key.
so any idea to prevent this?
When attacks are this persistent it becomes quite hard to detect and stop them. You mentioned they are attacking an API, are the keys tied to users or is it a “general” key that needs to be exposed?
If the API was used by tokens, you could rate limit per token rather than relying on the IP address, if that’s not possible then your options are:
-
Attempt to fingerprint the attackers. TLS Fingerprint and HTTP frames are a good starting point but there are more techniques. The problem is that implementing those techniques by yourself is probably not worth it, CF has this available to ENT customers JA3 Fingerprint · Cloudflare bot solutions docs.
If you still want to implement some sort of fingerprint yourself, check this out: GitHub - fooinha/nginx-ssl-ja3: nginx module for SSL/TLS ja3 fingerprint. and GitHub - Xetera/nginx-http2-fingerprint: 👇 An implementation of Akamai's passive HTTP2 client fingerprinting whitepaper for NGINX. are good starting points. - Detect proxies (datacenter & residential proxies). You could pre-process requests with a worker and match the incoming IP against a reputation database that specializes in detecting proxies, there are many vendors that offer this, you can try different ones and see which one works best. This lookup would likely add some latency to the requests so it would make sense to attempt caching the database in KVs or DOs when possible.
-
Buy some sort of API abuse protection service. I believe Cloudflare doesn’t have a product that specializes on this but I’m positive something will be released eventually. Cloudflare API Shield · Cloudflare API Shield docs There is this but,
I don’t know if it would be a good fit.
1 Like
Most of the service are on Cloudflare enterprise 
These complex protection services typically demand more computing resources and advanced technology, making them more expensive to offer and maintain. As a result, they are often limited to higher-tier plans, which are geared towards customers who require a greater level of security and customization.
It’s also important to remember that Cloudflare is a business that needs to generate profit , so far CF has been the most generous provider when it comes to offering all kind of protections to non enterprise customers.
That being said, as technology advances and these protection services become more commonplace, it is likely that the costs associated with providing them will decrease. As we’ve seen with other security measures in the past, the features that were once exclusive to higher-tier plans have become more affordable and accessible over time (SBFM being the best example).
This trend will likely continue, making advanced protection services more available to customers on lower-tier plans in the future.
In the meantime, you might consider exploring alternative solutions or services that offer similar protection features at a lower cost, or possibly implementing the solutions yourself with the suggestions I gave earlier.
If you want to peek at some competitors, Datadome & Stackpath are probably the best fit.
1 Like
Besides @jnperamo suggestions, if you’re on Cloudflare Pro or higher plans, check your Cloudflare WAF Managed Rulesets WAF Managed Rules · Cloudflare Web Application Firewall (WAF) docs and Scheduled changes · Cloudflare Web Application Firewall (WAF) docs.
Not all of those Managed rulesets are enabled by default when you look at individual rules. Some might be applicable to your situation which can help minimise the attack rate/size if they are enabled Deploy a managed ruleset in the dashboard for a zone · Cloudflare Web Application Firewall (WAF) docs
1 Like
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.