Recommended rules to block querybased ddos?

I have an associate who manages a website that is currently under siege (interestingly they believe the folks who are doing the attacking are also a cloud-flare customer – isn’t that funny)

Anyway, the traffic that is doing all the damage is NOT being stopped by any cloud-flare default settings.

I was able to help them block it using the following rule (http.request.full_uri contains “?”), but that rule is too problematic to serve as a permanent solution. I can whitelist several management IP addresses, but I’d prefer to approach this more comprehensively as would they.


The URL portion is always different, as is the material in the referrer section.

There are millions of combinations of characters in both.

What kind of rule can I create to block this?

Is it possible to block this using the free cloud-flare account?

Why not JS challenge any where the Referer contains google or duckduckgo? Only humans should have a referer like that.

Thanks for the recommendation. There are thousands of different referrers, but I can pull them all from the logs, eliminate duplicates, and create a rule to try that. Let me see how that works. Thanks!

You wouldn’t happen to know where I can get a list of the url’s for all the search engines in the world would you? I don’t want to play cat-n-mouse anymore.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.