None of the bots are able to pass through the “Managed Challenge”.
Do I now just wait out the attack and hope they stop? (It’s been going for over 24 hours so far! It started at 1 million requests an hour but has since jumped up to almost 10 million an hour).
I’ve tried looking into the the event log and with the aim of giving the Managed Challenge’s to just the bots, however, they all come from different IP addresses (IPV4 and IPV6), from different ASN’s, and different user agents, also all use GET and HTTP/3. The only thing that is the same is they all are trying to request a random 404 page (Random string of characters each time e.g. domain[dot]com/324223fjwfwehfwefwe2323423). They are 99% from India and Pakistan too, however there are a few from other countries.
Is there anyway to block there or should I just leave my site set to “I’m under attack” until it stops?
The main problem with the free plan is that observing attack patterns is more challenging, however, the approach that is mentioned on the guides should be valid for any plan, just slightly more tedious in your case.
Those attacks are annoying, unfortunately the WAF doesn’t have any easy way to match requests that attack a random path, in your case, I’d try to look at all the other potential patterns.
Thank you so much for the quick response, those are all extremely helpful!
After a bit more digging, it appears all of their user agents contain “Linux”, so I think I’m getting somewhere in being able to filter them out. I’m going to look through the guides you linked in more detail and really try to pin down a common pattern of them.
I think setting up a firewall rule for if India/Pakistan and user agent contains “Linux” will already narrow down nearly all of the bots and hopefully start to allow me to turn off “I’m under attack” for all visitors.