Rate limiting wildcard?

We are getting DDoS attacks on both our homepage and log in page (domain.org/wp-login.php). It looks like Cloudflare allows only one rate limiting rule. Would a wildcard like domain.org/* work for us?

You could, but that would most likely bite you in some unintended way. And Rate Limiting really doesn’t work against DDoS because of their nature.

You’re better off with a Firewall Rule to CAPTCHA challenge wp-login, and another Firewall Rule to JS Challenge the home page. Or, if the home page is relatively static, use a Page Rule to Cache Everything and Edge Cache TTL (2 hours) the home page URL.

The number of rules really depends on the plan. Configuring Cloudflare Rate Limiting – Cloudflare Help Center

Abesent any other details, a rule on the login page to prevent credential stuffing and a ‘cache everything’ page rule might get you pretty far along.

Some first steps from the community…

Under DDoS Attack! First steps - Tutorials - Cloudflare Community


Thanks, Sdayman. By bite in an unintended way, do you mean like extra cost of legitimate hits or are there other potential problems? I like the CAPTCHA/JS challenge suggestions, and am looking into that.

Thanks, cscharff - I’m surprised I hadn’t come across that helpful tutorial page.

If your under attack, activate IUAM for your domain. Also I’m getting a 4xx client side error

Also, what’s the link?

If you set a wildcard, it applies to all resources on your site. It wouldn’t surprise me if legitimate users got rate limited during normal usage. Again, rate limiting doesn’t work well against a DDoS coming from a variety of IP addresses.

1 Like

Thanks, I was just trying to simplify the post - it’s naisma.org

IUAM is not active, it din’t challenge me, you should turn it on! Only IF you think you are under attack!

I’ll see if it rate limits me

Your site is also slow, it takes a few seconds to redirect.

The attacks are happening irregularly, every day or two, so I’m hesitant to turn on IUAM all the time. Yes, it’s a slow site, so that’s not helping. I’ll try the challenge suggestions and then IUAM if that doesn’t work.

K tell me when your done (I’ll load the page back up then)

Yes, challenge options are below as well as protection options

Have you followed the steps?

I’ve done some of them, but I’m still reading about all the options and steps.

Which ones?

Hello, you haven’t followed all the steps yet have you? I’m not getting the browser integrity check when I open your site (which is default on IUAM)

I’m still looking into the attacks and the options, and working on implementing sdayman’s suggestions. CAPTCHA and JS challenge work well, so next is refining cache settings.

1 Like