Under attack mode does not stop attack

A simple rule that would surely stop most if not all of it, is the following:

  1. Is not a CF BOT.
  2. Request version is in { UNK, 1.1 , 1.0 }

You will definitely hit some false positives by triggering 1.1, however, if it helps to stop 100% of the attack I guess having 2-5% of the users face a CAPTCHA is not too bad.

But the problem is that non of my users are able to visit the site. The server at my host went down, even though the ip-adresses where whitelisted and, as far as i can see, all the attacks are being blocked now by Cloudflare.

Then it seems like an issue you have to deal with your host, I advise getting a VPS if you have the required sysadmin skills.

Thanks, we are looking into this now. Do you know if there is any way i can block all the countries except for the one i am in and the ones surrounding?

I think there is an option: NOT IN, you could create a rule similar to:
if country NOT IN {your countries} then BLOCK

That would block all countries but the ones you chose can access your site.

1 Like

Use a Country IS NOT IN and create a list.

Your OR is blocking everything.

(not ip.geoip.country in {"NL" "BE"})

1 Like

Thanks, i can now finally acces my site again. I hope blocking all other countries help with the load on the server.
I followed this description and thought i did it right. Thanks for your help.

1 Like

What i want is that every country is blocked, except for the Netherlands and Belgium.

Get the Ray ID or IP address from that Blocked screen and look it up in your Firewall Events Activity Log and that should show you why they’re blocked.


Your rule seems OK at first glance, It could be that the IP location is wrong on the CF database. Alternatively, another firewall rule is blocking those requests.

I’d follow sdayman suggestion and trace back what caused those blocks.

1 Like

I;ll check on that. I guess, since i am blocking all countries except Netherlands and Belgium. I can remove all other Firewall rules?

That’s correct, just make sure that the malicious traffic coming from those countries isn’t enough to bring your site down.

1 Like

Those blocks seem to be legitimate, if you believe that there might be false positives in the HTTP DDoS service I believe that you can report it.

The very first entry is a host IP address. The last entry looks to be an ISP.

The 130. that shows up a bunch is also hosting.

Ask her for a log of the traffic before the server went down again. If it was all whitelisted CF ips, then you can see if there’s any pattern in the malicious requests to block.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.