What is the domain name?
Prefer not to disclose.
Have you searched for an answer?
Please share your search results url:
- cloudflare waf rate limiting - Google Search
- cloudflare waf letting dos through - Google Search
- cloudflare waf not stopping repeated requests - Google Search
When you tested your domain, what were the results?
I don’t think this is applicable.
Describe the issue you are having:
In our SaaS, we had a user abusing a URL by sending the exact same request (that caused an HTTP 5xx) 10-15 times every second. This was with a logged in user account, and most possibly done with browser automation.
I’d have expected Cloudflare’s WAF to eventually start showing a challenge and even block these requests since they were completely unusual for the site, and the same IP-user agent suddenly sending the same request 15 times a second, with those requests causing a 5xx response, is quite suspicious. This was not a distributed DOS, all requests were from the same client.
However, this didn’t happen until I manually intervened (see below), despite Bot Fight mode being ON, and us having no DDoS overrides. Is this normal? Would CF only start rejecting requests if we configured rate limiting?
What error message or number are you receiving?
There’s no error from CF.
What steps have you taken to resolve the issue?
Added a WAF custom rule to block these requests. I did NOT try Under Attack Mode.
Was the site working with SSL prior to adding it to Cloudflare?
Yes, but my issue is not related to SSL (the site is served exclusively via HTTPS).
What are the steps to reproduce the error:
I’ve added my best guess above.
Have you tried from another browser and/or incognito mode?
Please attach a screenshot of the error:
There is no error from CF.