Site extremely slow - 522 Errors (ddos)

Hi,

My site is being massively ddos at the moment and I managed to set up some rules (in my Cloudflare firewall ruels as well as the .htaccess on my web server) to block some requests.

I’ve also got the Web Application Firewall enabled. However, I still see some requests on my Apache logs that should actually be blocked (and they don’t appear in the Apache error logs where they should be denied).

This is an example of the request that is currently DDOS my website and even with all the rules, is still performing attacks :

mediarepscom-7.as22384.net - - [18/Jan/2020:12:13:34 +0100] "GET /search.php?query=CandyCourt%20Snaps&do=process&securitytoken=guest HTTP/1.1" 301 317 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.5.24 Version/10.54"

I’ve set 2 rules within Cloudflare firewall :

(http.host contains “mediarepscom-7.as22384.net”)

(http.user_agent contains “Presto/2.5.24”)

I see that “Activity last 24hr” is set to 0, whereas my Apache logs clearly show that those requests are interfering with my server…

Thanks for helping me

It’s possible that they’re bypassing Cloudflare. Can you set up a firewall to block anything that’s not coming from Cloudflare?

So you mean directly on my server’s htaccess?

Somewhere at your web host. Some let you do this at their dashboard.

We had similar issue for days on end and this Cloudflare doc helped us resolve the 522s right away (#2 and #3):

Community Tip - Fixing Error 522: Connection timed out

Like you, however, I’m still getting hit heavily on xmlrpc, despite using WAF and one other rule. 450 hits today alone…

If WAF is enabled, doesn’t that stop all hits on xmlrpc? What can I look for to harden this rule? Thanks.

If you want to block xmlrpc, add a Firewall Rule to Block any Full URI that contains xmlrpc.

@sdayman, thank you for your prompt reply. I had added this rule in addition to WAF:

((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains " /wp-admin/theme-editor.php"))

Are you saying by “Full URI” that I should add “https://www…” and variants (http, www.example.com, example.com)?

I was lazy and put in Full URI so I don’t miss anything, but the “contains” gives me pretty broad protection as long as I’m pretty specific. So Contains “xmlrpc” will block any query strings stuck on the end, or subdirectory attacks.

I could have put in something else, like Path, but I haven’t gone back and researched this.

Ok, cool. Thanks, @sdayman. I’ll watch and see what the next 24 hours brings.

Thanks again. :slight_smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.