WAF letting abusive (DOS) requests through

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Prefer not to disclose.

Have you searched for an answer?

Yes.

Please share your search results url:

When you tested your domain, what were the results?
I don’t think this is applicable.

Describe the issue you are having:

In our SaaS, we had a user abusing a URL by sending the exact same request (that caused an HTTP 5xx) 10-15 times every second. This was with a logged in user account, and most possibly done with browser automation.

I’d have expected Cloudflare’s WAF to eventually start showing a challenge and even block these requests since they were completely unusual for the site, and the same IP-user agent suddenly sending the same request 15 times a second, with those requests causing a 5xx response, is quite suspicious. This was not a distributed DOS, all requests were from the same client.

However, this didn’t happen until I manually intervened (see below), despite Bot Fight mode being ON, and us having no DDoS overrides. Is this normal? Would CF only start rejecting requests if we configured rate limiting?

What error message or number are you receiving?
There’s no error from CF.

What steps have you taken to resolve the issue?

Added a WAF custom rule to block these requests. I did NOT try Under Attack Mode.

Was the site working with SSL prior to adding it to Cloudflare?
Yes, but my issue is not related to SSL (the site is served exclusively via HTTPS).

What are the steps to reproduce the error:

I’ve added my best guess above.

Have you tried from another browser and/or incognito mode?

No.

Please attach a screenshot of the error:

There is no error from CF.

The WAF is stateless and operates on a request-by-request basis to a set of rules, it can’t build an IP’s reputation over a number of requests or time or profile your site. At just 10-15 requests per second from the same source, DoS mitigations aren’t going to kick in.

You can use rate limiting (fairly limited in features on a free account) or you can build some intelligence on your origin to spot this sort of low level abuse and redirect to something to force a challenge or use the Cloudflare API to update the WAF dynamically.

2 Likes

I see, thanks. Would DoS mitigations be activated at a higher request rate? We did add some custom intelligence on the origin but it’d be great to catch these still in CF.

It would trigger if it matches a DDoS rule. We have some explanation of how in this article:

How DDoS protection Works

Thank! After checking out the docs page it seems that the offending requests should’ve been caught, no? There is no explicit mention of a request rate threshold, just that it’ll be taken into account too. While I understand that 10-15 r/s is not a huge attack (it was actually due to a mistake rather than malice), but the pattern it showed was still one of abuse I think (repeating the exact same request from the same IP 15 times a second, causing an HTTP 500 response, where all of this is without a prior example for this site).

The rules that we have for DDoS protection are global, and the rules have to account for all sites on our network. This traffic was definitely a problem, and could have been malicious for your site, but for another site this could be expected traffic for the service that they are offering.

Even with our DDoS rules being set to catch traffic that we are confident in calling malicious, we still allow for DDoS exceptions because for some sites that traffic is legitimate and wanted.

For situations like yours where the traffic is not enough to trigger a DDoS attack but enough to affect your site you would want to create a Rate Limiting rule.

1 Like

I see, thanks.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.