Under attack mode does not stop attack

Your Firewall Rules should say Or not And

1 Like

Thanks, i will change that.

1 Like

seems like i am going in the right direction now. Now it does block by country. I will keep track of this and see if anything comes through and block that. If nothing does this should mean i am blocking the ddos attack, right?

In theory you should now start to see lots being blocked and can now start to fine tune your rules, add ASNs and IPs etc as the picture becomes clearer.

As i can see at Firewall overvriew, everything is getting blocked now. But i am monitoring it. My host put the website back online and whitelisted the inbound connections from Cloudflare as suggested by @freitasm. However i still keeping getting this error and the website is still not working.

Error 524 info is here:

It now keeps hanging here, is it possible it had something to do with whitelisting ip-adresses by my host? I have had this same screen when the ddos attack fisrt started, but it kept on changing between 524 and 522.

Forgot to ad the screen

The checking browser screen will be because of “Under Attack Mode” and is correct.

The 524 screen is something different. Others may have better suggestions for that.

But the checking browser screen does not connect to the website but keeps hanging there, that was also the problem at first and why i started this topic. I first thought that might be because there was still a lot of overload because of the attack. But as i can see on my overview screen in Firewall everything is being blocked now. And the problem still is there.


Some additional info. How can i see in firewall rules what is blocking known bots, the link given is not helping me out how to find that.

My host said she whitelisted the ip-adresses but the server still went down. The Firewall overview is showing block on almost everything since i put firewall rules on countries and useragents. However the server still went down. My host is asking if there is anything else they can do to protect the server, since whitelisting the ip-adresses did not work.

A simple rule that would surely stop most if not all of it, is the following:

  1. Is not a CF BOT.
    AND
  2. Request version is in { UNK, 1.1 , 1.0 }

You will definitely hit some false positives by triggering 1.1, however, if it helps to stop 100% of the attack I guess having 2-5% of the users face a CAPTCHA is not too bad.

But the problem is that non of my users are able to visit the site. The server at my host went down, even though the ip-adresses where whitelisted and, as far as i can see, all the attacks are being blocked now by Cloudflare.

Then it seems like an issue you have to deal with your host, I advise getting a VPS if you have the required sysadmin skills.

Thanks, we are looking into this now. Do you know if there is any way i can block all the countries except for the one i am in and the ones surrounding?

I think there is an option: NOT IN, you could create a rule similar to:
if country NOT IN {your countries} then BLOCK

That would block all countries but the ones you chose can access your site.

1 Like

Use a Country IS NOT IN and create a list.

Your OR is blocking everything.

(not ip.geoip.country in {"NL" "BE"})

1 Like

Thanks, i can now finally acces my site again. I hope blocking all other countries help with the load on the server.
I followed this description and thought i did it right. Thanks for your help.

1 Like

What i want is that every country is blocked, except for the Netherlands and Belgium.