So I’d like to start out by saying that Cloudflare Free is an amazing service, it makes your site faster and safer from attacks however it’s lacking in protections from HTTP Floods and similar attacks. You are generally safe from Layer 3/4 Attacks because they have the option of protecting either all customers or no customers from those attacks.
Luckily if you have your own web server you can install nginx and use some advanced techniques to protect it from attackers.
Example Configuration Files:
I’ve uploaded some example configuration files for this tutorial to my Github Account. You may need to tweak them for your own purposes but these should serve as an example to you
Fail2ban https://github.com/nsuchy/nginx-fail2ban (Note: Update the action in jail.local from iptables to cloudflare, adjust ur email and api key in ‘action.d/cloudflare.conf’)
What methods are available to block an attack?
- Cloudflare’s I’m Under Attack Mode will block a large chunk of bad requests
- Setting up rate limiting (both Cloudflare Rate Limiting (paid feature) and nginx rate limits) will help block large bursts of requests and is a useful tool for singling out the bad IP Addresses.
- Reduce the ‘time-out’ and ‘keepalive’ limits.
- Where practical block the user-agent that’s being used by the attacker. For example if the attacker is using an outdated browser’s useragent or something like ‘wordpress’ you are free to block it and only a small percentage of real users will find themselves blocked. You can always remove the rules after an attack ends.
- Use fail2ban to issue Cloudflare IP Blocks on IP Addresses that are constantly violating rate limits.
- Look for traits of the attacks traffic and use nginx to block it.
- Where possible develop your website ‘on the cloud’ and use those features to the fullest, for example auto-scaling and load balancing make an attack a lot harder. Depending on how it’s implemented your site can become a lot safer due to the benefits of increased capacity.
Which requests are the attackers?
184.108.40.206 - - [11/May/2017:17:05:26 -0400] “GET / HTTP/1.1” 503 206 “-” “Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0”
Any questions, suggestions, comments, feedback, etc?
I look forward to any questions, suggestions, comments, feedback, etc that you guys may have to offer. The tips in this tutorial offer practical mitigation at no cost to the end user other than needing root access to the web server.