Rate limiting on rotating ip address

I’m using Rate limiting but i found out someone are using rotating ip address to stealing my data, their ip are changing every request even their ASN are changing too.
I can’t using anti-ddos, captcha, js challenge because i’m working on API, i also using End to End encryption too but the key was leak on browser i’m trying to change many time and update obfuscation level but after a few day those hacker still find the the way to get new key.
so any idea to prevent this?

When attacks are this persistent it becomes quite hard to detect and stop them. You mentioned they are attacking an API, are the keys tied to users or is it a “general” key that needs to be exposed?

If the API was used by tokens, you could rate limit per token rather than relying on the IP address, if that’s not possible then your options are:

1 Like

Most of the service are on Cloudflare enterprise :unamused:

These complex protection services typically demand more computing resources and advanced technology, making them more expensive to offer and maintain. As a result, they are often limited to higher-tier plans, which are geared towards customers who require a greater level of security and customization.

It’s also important to remember that Cloudflare is a business that needs to generate profit :person_shrugging: , so far CF has been the most generous provider when it comes to offering all kind of protections to non enterprise customers.

That being said, as technology advances and these protection services become more commonplace, it is likely that the costs associated with providing them will decrease. As we’ve seen with other security measures in the past, the features that were once exclusive to higher-tier plans have become more affordable and accessible over time (SBFM being the best example).
This trend will likely continue, making advanced protection services more available to customers on lower-tier plans in the future.

In the meantime, you might consider exploring alternative solutions or services that offer similar protection features at a lower cost, or possibly implementing the solutions yourself with the suggestions I gave earlier.

If you want to peek at some competitors, Datadome & Stackpath are probably the best fit.

1 Like

Besides @jnperamo suggestions, if you’re on Cloudflare Pro or higher plans, check your Cloudflare WAF Managed Rulesets WAF Managed Rules · Cloudflare Web Application Firewall (WAF) docs and Scheduled changes · Cloudflare Web Application Firewall (WAF) docs.

Not all of those Managed rulesets are enabled by default when you look at individual rules. Some might be applicable to your situation which can help minimise the attack rate/size if they are enabled Deploy a managed ruleset in the dashboard for a zone · Cloudflare Web Application Firewall (WAF) docs

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.