Server down even with Cloudflare enabled

I have a simple web hosting server that keeps getting taken down by a huge DDOS attack.
After I moved to Cloudflare, I thought the problem would be solved, but unfortunately not.
I don’t think the attack is directly on the server’s IP, since I can see the ‘uncached requests’ spiking to over 2million.
I enabled everything I could think of, the ‘under attack’ setting, and changing the block rules to be more strict, yet the site stays down.
Can someone please advise me on what I can do here? I’m really lost at what else to do…
Where can I look for clues about the attack and how to stop it?

To secure a WebServer i recommend Fail2Ban !
I use it since over 10 Years and it helps against any DDOS attacks even such with millions of DDOS Requests.

It exist even fail2ban automation scripts for cloudflare that autblock the ip on cloudflare.

Search the forum here and you will find several topics about it.

Look at those requests in the log and see if you can see any patterns and use the Firewall to block.

You can also look at Rate Limiting, which is a paid for service but you only pay for legitimate traffic.

I’m completely lost at this point.
I stopped the Apache webserver and my CPU usage is still sky high.
I’m running a VPS and don’t see anything except blocked requests on the UFW.

May I ask if it is the real attack or rather Cloudflare trying to access your server while your firewall is not allowing Cloudflare IPs?

Kindly re-check if Cloudflare is allowed to connect to your origin host to as follows in the below article:

Nevertheless, Cloudflare IP addresses list can be found here:

Furthermore, if you check your access / error log files, do you see Cloudflare IPs?
See below article and restore original visitor IP:

Are all the needed DNS records for your domain proxied and set to :orange:?

Useful article:

It was definitely a real attack, but I have still no found the source of the issue.
On the security analytics, I have a HUGE spike in ‘unclassified’ threats.
I don’t see anything on syslogs or the apache logs the indicate something. I have now enabled my VPS firewall to only accept connections from cloudflare, but I am not sure if the attacker can return and do the same thing.
I also did fail2ban, but it didn’t result in anyone getting banned.
Can someone advise me where I can look to try to find the type of attack and what I can do to prevent this in the future?

1 Like

Could be crawlers, scrapping bots? (I see a lot daily requests which I blocked from Apple and Bing, only legal from Google)

Kindly and patiently wait for more answers.

Until then, may I suggest you to consider tips and reading below articles:

regarding that “manual migration” guide, that’s for premium only right?
because I don’t see those detailed analytics on my dashboard

So main Problem for you now is that you have huge CPU Usage.

You need to analyse what Processes run on your CPU.

Maybe you have some broken Script running that run in a never ending loop
and block all the CPU becouse of this.

Normally i use “htop” in the command line to see what processes are running on the CPU
and then you can stop them also with htop.

Like I said, it was 100% a attack, the attacker tried to extort us for money, and the ‘uncached requests’ on CF skyrocketed, with 1mil requests coming from China.
The server was only hosting on static site via Apache, nothing else.

The manual mitigation guide even applies to free plans. It uses Firewall Rules that anybody can use.

If you’re getting 1 million requests from China, and your site doesn’t need visitors from China, you can use Firewall Rules to block any visit where Country equals China. Please take a close look at that manual mitigation guide, as that’s the best way to defend against attacks.

1 Like

happening again, attack coming from everywhere, so can’t block via location.
50mil ‘unclassified’ threats, can’t see much without premium.
Site went back up but is still under attack

Kindly, I’d suggest you to write a ticket to Cloudfalre support due to your account and/or domain issue (keep in mind it’s weekend) and share the ticket number here with us:

Do you see under the action column “Block” or?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.