I am reaching out to you today as I find myself in dire need of expert assistance regarding a persistent DDoS (Distributed Denial of Service) attack on my API. Despite diligently following the security guides provided by Cloudflare, I am still experiencing relentless attacks on my domain and subdomains.
I have implemented the recommended security measures, such as enabling Cloudflare’s DDoS protection, rate limiting, firewall rules, and even fine-tuning the security settings for my domain. However, these efforts have not been sufficient in mitigating the ongoing DDoS attacks. It is affecting the stability and availability of my services, causing significant disruptions to my users and my business.
Given the gravity of the situation, I humbly request the expertise and guidance of the Cloudflare community to help me tackle this issue effectively. I have exhausted my own ideas and resources, and I believe that engaging with knowledgeable experts will provide me with fresh insights and potential solutions.
I kindly request any advice, best practices, or advanced techniques that can be employed to further safeguard my API and mitigate these relentless DDoS attacks. If there are additional steps or configurations that I might have overlooked, I would greatly appreciate guidance in identifying them.
I understand that Cloudflare offers numerous resources, such as documentation, tutorials, and support forums, which I have already explored extensively. However, I believe that engaging directly with experts from the Cloudflare community will provide me with specific insights tailored to my unique situation.
Thank you in advance for your time and consideration.
Hi is this attack ongoing? Have you enable Under Attack Mode? See Understanding Under Attack Mode. If you need to do manual blocking of the attack, your audit log and this article will help to construct rules to block the attack based on what you see in the audit log (country, ip, et al), Mitigating an HTTP DDoS Attack manually with Cloudflare.
Thanks for your reply. I will check these out.
Some extra info about my situation:
I am hosting my API on a aws EC2 instance.
On the AWS dashboard I am only allowing http connections that are IPv4’s from Cloudflare
Inside of my instance (ubuntu) I also set the firewall rules to only accept http from Cloudflare
On Cloudflare dashboard I added multiple WAF rules, Rate Limiting rules, my dns record for the api is proxied, but still they manage to find the public ip of the aws ec2 instance.
I think they directly ddos the ip, but I am so confused on:
How did they get it? Like it is being proxied via Cloudflare
How can they send requests to it since I only allow traffic from Cloudflare’s ip’s
It they are hitting your origin IP directly, they are doing so based on historical IP. You should ask your hosting provider to change your origin IP address. Tools like https://securitytrails.com/ can be used to look at the public history of your site (nameservers, IP, et al) and bad actors can use that information to attack your origin, bypassing cloudflare.
&
this is perplexing if the origin is locked down as you describe, I am going to phone a friend for another set of eyes on this.
Hi @Lander I have talked with my colleague about this and they’d like to run some additional tests and communicate with you privately on a ticket.
I have created ticket 2817486 on your behalf and you will have received a copy of it. Can you add the domain name to that ticket and any other details you’d like to share privately with the Support team? I am also copied on the ticket and will be automatically notified of updates in order to track progress.
Hey @cloonan , I haven’t recieved a response of your colleague or anyone else yet on my ticket after all this time. Can you please tell someone to look at my case? I really still need help on this. Thank you for your time.
& 
this is perplexing if the origin is locked down as you describe, I am going to