Under attack mode does not stop attack

Hi, since last night my website is under ddos-attack. I activated the Under Attack mode, and that has always worked in te past. My last ddos-attack was mayb 2 years ago. Now the Under Attack mode does not work. I can see the redirecting page, but it keeps loading there and does not continue to my website. My host pulled the site offline now because it is affecting other websites on he server. I blocked the top 5 country’s that the attacks are coming from in the firewall rules but that still did not work. What other things can i do and why is the Under Attack mode not working?

May I ask by what do you mean?
How did you get to this conclusion?

Did you checked are the requests hitting directly your origin host / server IP?

A good start.

May I suggest looking at the below articles just in case:





Are the DNS records proxied :orange: or not, do you have any :grey: if so?

1 Like

I activated the under attack mode and still was nnot able to reach my website, or anyone else was not either. The last time i had numerous attacks in period of weeks and after activating the under attack mode my website was reachable in 5 to 10 minutes. Now it still wasn’t after 45 minutes. If i would go to my website i could see the redirectionpage where Cloudflare is checking but it does not redirect.

How do i check where the requests are hitting? MY host said they where directed to my website. I have a crimenews website and criminals are not always that into me. So this isn’t my first ddos, but it is the first under attack mode does not stop. I am not really a techwizard in all this.

I have used the firewall rules to block the countries that gave the most attacks. But i still see the countries doing attacks in my firewall overview. It does not say block at security level. And i don’t know how to see which useragents make the most attacks. My website has been down for a day now.

Have you configured your firewall to only allow connections from these IP address?

IP Ranges | Cloudflare

I’d advise posting images of all your analytics/information that Cloudflare gives, we are throwing blind guesses without them.

1 Like

You mean i should only allow my own ip address? Because the whole website is allready taken down by the host now so the attack does not effect other websites on the server.

No, I mean the host should allow inbound connections from Cloudflare. This way no one could bypass the protection unless accessing directly via IP address (but still blocked at the firewall).

Your Firewall Rules should say Or not And

1 Like

Thanks, i will change that.

1 Like

seems like i am going in the right direction now. Now it does block by country. I will keep track of this and see if anything comes through and block that. If nothing does this should mean i am blocking the ddos attack, right?

In theory you should now start to see lots being blocked and can now start to fine tune your rules, add ASNs and IPs etc as the picture becomes clearer.

As i can see at Firewall overvriew, everything is getting blocked now. But i am monitoring it. My host put the website back online and whitelisted the inbound connections from Cloudflare as suggested by @freitasm. However i still keeping getting this error and the website is still not working.

Error 524 info is here:

It now keeps hanging here, is it possible it had something to do with whitelisting ip-adresses by my host? I have had this same screen when the ddos attack fisrt started, but it kept on changing between 524 and 522.

Forgot to ad the screen

The checking browser screen will be because of “Under Attack Mode” and is correct.

The 524 screen is something different. Others may have better suggestions for that.

But the checking browser screen does not connect to the website but keeps hanging there, that was also the problem at first and why i started this topic. I first thought that might be because there was still a lot of overload because of the attack. But as i can see on my overview screen in Firewall everything is being blocked now. And the problem still is there.

Some additional info. How can i see in firewall rules what is blocking known bots, the link given is not helping me out how to find that.

My host said she whitelisted the ip-adresses but the server still went down. The Firewall overview is showing block on almost everything since i put firewall rules on countries and useragents. However the server still went down. My host is asking if there is anything else they can do to protect the server, since whitelisting the ip-adresses did not work.