Redirecting traffic during DDoS

I have this wonderful idea but I’m not sure if it’s a good idea or not.

Suppose I have this page rule in place… .example.com/
Redirecting to… http://nope.example.com
I have an A Name pointing “nope” to the 1.2.3.4 IP address.

If activated, ALL traffic going to the website will be redirected to the null address. In other words, it creates a black hole. Granted, the attackers win because the website goes down, but in my case it would be more prudent to sit it out than rather than allowing the attack to continue as I do not run any essential services. In any case, my interest is not about the logic of blocking any and all traffic versus letting CloudFlare deal with it via proxy. The big question is…

Will this, due to the repeated and failed redirect attempts, increase the traffic load on the botnet?

If that DNS record is proxied, that IP address will never show up and requests will still go to Cloudflare, only Cloudflare wont be able to forward the request.

In case of an attack, you best make use of the Cloudflare tools to mitigate that attack. Check out firewall rules for example.

I get that, but as I said it’s not the issue.

I want to know if it’ll affect a botnet’s workload.

We can discuss it, but it is the wrong approach, just so that you know.

Are we talking about a proxied record or not? What exactly do you mean by workload?

It’s a shame I can’t edit the post.

Forget about it being proxied, it’s a black hole.

So not proxied? In that case they will try to connect to the given address and if there is no response will eventually run into a connection timeout.

Right. So in theory, if I’m right, each client in the botnet will make even more attempts to connect to the target due to the recursive redirect. Surely this would increase the amount of work of the clients. But would it be significant?

That is a lot of speculation and fully depends on their setup. Also, it is assuming they follow that redirect. The easiest thing might be to change your original record’s IP address to that address and then unproxy.

Again, this is not really the right approach and overall a topic better for a general security forum.

Yeah, I suppose the botnet could be configured to avoid this.

Point taken.

This topic was automatically closed after 30 days. New replies are no longer allowed.