I was wondering if the WAF from CF PRO actually helped against DDoS attacks, or it’s just against vulnerabilities and other bad bots.
There’s no magic pill, but it does help. A ddos attack can have many forms. If you believe you are currently under attack, you should describe in more detail what kinds of requests are being made, there are many ways a combination of CF tools can help you.
You can use these tools to block or captcha requests from specific countries, IPs, IP ranges, ASNs, user agents. You can also restrict access to specific URLs or whole areas of your site.
Major issue that I have right now is that I have to manually enable the UAM, otherwise my website never comes back up.
I received an attack in which a single IP sent over 300k requests in a couple of minutes, I enabled UAM and my website was back up, but still… If I happen to be sleeping or away and a DDoS occurs, I know my website won’t be online.
There are a few strategies you may try:
Check their IP addresses using a tool such as https://bgp.he.net/ and identify the ASNs they belong to. If the ASNs are associated with a hosting provider, you may safely create a challenge to captcha these ASNs. Real visitors don’t visit your site via another site, only hackers do (after taking control of a site). This may impact certain online services that are hosted by the same ASN, but you can always whitelist individual IP addresses, even if temporarily, to let these services in.
Challenge anyone not coming from the countries where your site’s target visitors are based.
Challenge anyone requesting certain URLs.
You may combine these and other conditions in one or two Firewall Rule.
You may also try an strategy where you challenge everyone not matching a few criteria. I describe one such rule here:
Thank you for your help; unfortunately, those attacks are carried by a botnet powered by “normal” ips, it’s just too widespread for me to block ISPs or ASNs.
I tried to challenge any IP that surpasses specific threat score, but it does not seem to get triggered much (>=10 atm).
Ultimately I noticed that many bots are not capable of making requests that are TLS 1.2, that seemed to work, but still, some malicious bots managed to go through the firewall, taking my site down.
I thought on coding a script that challenges/blocks IPs that make many requests per second for a prolonged threshold of time.