I have an associate who manages a website that is currently under siege (interestingly they believe the folks who are doing the attacking are also a cloud-flare customer – isn’t that funny)
Anyway, the traffic that is doing all the damage is NOT being stopped by any cloud-flare default settings.
I was able to help them block it using the following rule (http.request.full_uri contains “?”), but that rule is too problematic to serve as a permanent solution. I can whitelist several management IP addresses, but I’d prefer to approach this more comprehensively as would they.
SCREEN SHOT REMOVED FOR SECURITY
The URL portion is always different, as is the material in the referrer section.
There are millions of combinations of characters in both.
What kind of rule can I create to block this?
Is it possible to block this using the free cloud-flare account?