Site is being DDoS'd - Around 10 million requests an hour - What can I do?

Hi there everyone!

Hopefully this is the correct place to post (I’m completely new here!).

One of my sites has unfortunately started to be attacked by what looks like a DDoS attack originating from India.

As this is the first time this has ever happened to me, I was wondering if you could just help re-assure me that I’ve taken the necessary steps?

  1. Enabled “I’m under attack”
  2. Enabled “Bot Fight Mode”

It looks like 100% of these are now being blocked, please see some screenshots below:

None of the bots are able to pass through the “Managed Challenge”.

Do I now just wait out the attack and hope they stop? (It’s been going for over 24 hours so far! It started at 1 million requests an hour but has since jumped up to almost 10 million an hour).

I’ve tried looking into the the event log and with the aim of giving the Managed Challenge’s to just the bots, however, they all come from different IP addresses (IPV4 and IPV6), from different ASN’s, and different user agents, also all use GET and HTTP/3. The only thing that is the same is they all are trying to request a random 404 page (Random string of characters each time e.g. domain[dot]com/324223fjwfwehfwefwe2323423). They are 99% from India and Pakistan too, however there are a few from other countries.

Is there anyway to block there or should I just leave my site set to “I’m under attack” until it stops?

I’m on the free plan by the way.

Please let me know if you need anymore info!

Many thanks.

The main problem with the free plan is that observing attack patterns is more challenging, however, the approach that is mentioned on the guides should be valid for any plan, just slightly more tedious in your case.

Those attacks are annoying, unfortunately the WAF doesn’t have any easy way to match requests that attack a random path, in your case, I’d try to look at all the other potential patterns.


Thank you so much for the quick response, those are all extremely helpful! :grinning:

After a bit more digging, it appears all of their user agents contain “Linux”, so I think I’m getting somewhere in being able to filter them out. I’m going to look through the guides you linked in more detail and really try to pin down a common pattern of them.

I think setting up a firewall rule for if India/Pakistan and user agent contains “Linux” will already narrow down nearly all of the bots and hopefully start to allow me to turn off “I’m under attack” for all visitors.

I hope you have a great weekend!


All of the requested spam pages end in a number, none of my legit pages do. I’m just going to create a rule, if URL path ends in 1-9, then challenge. Will monitor from there, thanks again :slight_smile:


While not perfect, you can reduce some of the attack surface area/size using Cloudflare Rate Limiting with custom 403/404 responses Unknows page request atttack - #6 by eva2000 :slight_smile:

It’s limited in a sense that rate limiting is per datacenter so with CF having 270+ locations, some requests still get through.

Here’s any example event logged entries for the above rate limiting by 403/404 rule where requests are for 404 non-existent paths on my site

1 Like

Legend, thank you! Also, thanks for Centminmod (thought the name looked familiar!)

1 Like

I’ve now managed to set up some rules which block all of spam and allows legitimate traffic through. Thanks everyone, marking this as solved :slight_smile:


Cheers. Glad I could help and thanks for the kind words for Centmin Mod :slight_smile:


The problem with this is that it’s enterprise + advanced security suite only, as far as I know other plans can’t count anything other than IPs :sweat:

It’s Business or higher plan feature


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.