Rate Limiting Rule - Error 1015

Getting Started
#1

Hi there -

I turned on rate limiting for our org using the path: www.mysite.org/*

The reason for turning it on, is we do have loginless pages and noticed thousands of records created in our DB with $1 transaction attempts. After turning it on, it stopped and over the course of 24 hours i’ve blocked using this rule roughly 10k blocks. That’s the good news, the bad news is i have actual people trying to buy tickets or reserve something using our site, and they’re receiving the Error 1015. I currently have the threshold set to “100 attempts in 1 minute = Block for 1 day”.

Does anyone know a better option for me to use to still block bad traffic, but not block good traffic? Possibly a FW rule as well?

Thank you!

#2

I see you rate limited for the entire site. I tried this, but found that if my page has 50 resources, and my rate limit is 50 hits in a minute, I’d hit that rate limit in a single page view.

Is there a choke point you could protect instead? Like a checkout page?

#3

Ya totally! I just have to ask the web team to take a look into that. There’s plenty of expired pages that have a submit form still that i’ve uncovered lastnight. I was hoping to help counter that with a better threshold or rule, but i hear you. The two active support us pages are currently being rate limited, but the blocks are no where near the amount of the wildcard rule. Super new to cloudflare, do you know of any other methods to help counter? Thanks!

#4

Quite often I use Firewall Rules. If your target audience is a specific country, you can add a Firewall Rule to match a URL (exact, or “contains”), and if it’s NOT your target country, then JS Challenge (it’s a 5 second Javascript automated challenge that browsers process). That often gets rid of most of the bots. Or just flat-out block unwanted countries from the purchasing process.

#5

That’s true, ok… Let me read some of yesterday’s logs and see what countries in particular are doing it. I did turn on a new FW rule for “Known Bots”, that is really working well and the logs show places such as Russian Federation, etc… Thanks for that tip!

#6

“Known Bots” are the good ones. Usually search engines, which would include Yandex from Russia.

#7

Ah, should i not be doing that rule? I have it blocking them.