Website getting hit by ddos attacks - would a paid plan help me?

1st time: many user agents and IPs hitting these URLs

grep '20/Mar/2023:23:2[5-8]' access.log.1 | awk '{print $7}' | sort | uniq -c | sort -n
   7570 GET /?q=N4w2xXFAoDdlRzb17iahVoKpFkK2dzICeLHwS4fA HTTP/1.1
   8208 GET /?true=osdMJlPK0wl2TjX63IsoLrHMhxnaADKCnlpLokKK HTTP/1.1
   8240 GET /?s=1WJfpcUM0YsSbYknmwtpEDmxtwjvq6RNAVEk2Awa HTTP/1.1
   8330 GET /?J8XsihkK254DsWQ&&BExwsiR7RrEATtB3O0tEBQCXd HTTP/1.1
   8470 GET /?B9I3FQsnHMiGW9hx6PkEARrZKNaeS6DXIiumzAkS HTTP/1.1
   8700 GET /?ZFzYjWFu73VRZ7f&X9Mq6kcl0rdmpQSyVkLahXoBf HTTP/1.1
   9222 GET /?b2SZkYpGPvGhEr9andivVjTwTKz4b2dznGWdL0BUi9A HTTP/1.1
   9560 GET //?t9fNwnAhcGLzURgandGJJsopEmBX9zDN2p9ZbJAy663 HTTP/1.1
   9940 GET /?q=eTOYqDldzNJPPFzezsCAFCIlpmvrqAT3EyGwH33T HTTP/1.1
  10433 GET /?s=uMddHP4DKDCa0nl?gCZr23zQ646ifxJ20mDvK30Bt HTTP/1.1

2nd time: many user agents and IPs hitting these URLs

grep '21/Mar/2023:07:1[4-5]' access.log | awk '{print $7}' | sort | uniq -c | sort -n
   6296 /?q=k6OGveSp9JNZnS3&1rVVPeXkZlMEvhrnoj0osiEV5
   6563 //?v4GAl4EWLZzE7lh&orZVcsPA2bGm0QrJuEx079v2U
   7230 /?true=dDunNQutK3ZRCB8?3AFuWOFSVvpfc5ak7hmGy2cL7
   8379 /?SJP2DHDK3FmnRcs=IklVqdTMPZbPgCYfW3BFUNvbS
   8952 /?true=yrv6P6CfWlUykiJVDUL1w6burqk06YvsjBVag5AL
   9256 /?q=XlmJJWfTSV6avxY+FAD0yiPKq9S7WCPSNZv5bWDWM
   9280 /?true=2kNjLU6nSA9XF4fiWy1qmlfsLW6V56ICyBjP5yEN
   9536 /?EQ9tqCLV5vLkxd9jhii4YGheBB5l0oACKASL8Y30
   9552 /?true=X9q18q1mEGZB2vq?IeeI1PQo8HN99LY7lyr3jeMtu
   9672 /?s=smDLWh1M15N6P37&&WWU1VUnFHUmbOeVHr2mnZWlUI
  10152 //?Ke3Rf2PZWXP2GSd=mbNPaTVB9KGsFIwTO3lkJFIs4
  10864 /?true=uc9QLfkM1Oe1ZhK&RIboUvpUEaOLmCcRKELn1wKav
  11104 /?DB6fosMqlVMmWJG&64Txquv4VDCDRGX6wJn3WKKeD
  14441 //?ACNakQTtHJSH1OG+Y0l4Ll85kS8BJ7xd9NBpPrcWe

3rd time - 1 user agent requesting “/”. Issue is, this user agent visits regularly when there aren’t spikes.

grep '21/Mar/2023:08:20\|21/Mar/2023:08:21' access.log | awk -F'"' '{print $6}' | sort | uniq -c | sort -n
 654858 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0

The PRO plan would make monitoring the traffic and building custom rules much easier thanks to the security insights/waf overview tabs.

Now that SBFM is also customizable, I suspect it would help a lot as well mitigating attacks.

2 Likes

Thanks @jnperamo - just tried to upgrade to pro and received:
“The zone you are trying to open a subscription for is banned”

I emailed billing to see if they can assist.

1 Like

Did you get any ticket id? If so, please share it and I will escalate the ticket

1 Like

Got a reply that you can’t email billing :slight_smile:

I opened a support ticket through the website:

  • Ticket ID: 2741866
1 Like

I escalated the ticket so hopefully you will hear back soon.

In the meantime, are the attacks affecting your websites performance right now?

I’m not getting hit right now, but when they do it destroys it. If you can see our traffic stats you can see we get hammered when it happens. You can compare to the timestamps in my original post.

ddos-last_24_hrs

If you receive a similar attack in the future, try adding this firewall rule in your dashboard:

(
    (http.request.method eq "GET" and (http.request.uri.query contains "q=" or http.request.uri.query contains "true=") and cf.threat_score gt 0)
    or
    ((http.request.uri.path eq "/" and http.user_agent eq "MALICIOUS_UA" and cf.threat_score gt 0 and http.request.version in {"HTTP/1.0" "HTTP/1.1" "HTTP/1.2"}))
    or
    (http.user_agent contains "Gecko/20100101 Firefox/111.0" and cf.threat_score gt 0)
)

You can add it here:
Security > WAF > Create rule

The rule name doesn’t matter, click on Edit expression and copy paste the rule I gave.
On action, I’d start with Managed challenge and if that doesn’t work, I’d use CAPTCHA.

To give some sense of the rule, it will work as follows:

  1. The first condition checks if the HTTP request method is “GET” and if the URI query contains either “q=” or “true=”. If both of these conditions are true and the Cloudflare threat score is greater than 0, the request is matched and action is executed.
  2. The second condition checks if the HTTP request path is “/” , the user agent is “MALICIOUS_UA”, the Cloudflare threat score is greater than 0, and the HTTP version is either “HTTP/1.0”, “HTTP/1.1”, or “HTTP/1.2”. If all of these conditions are true, the request matched an action is executed.
  3. The third condition checks if the user agent contains the string “Gecko/20100101 Firefox/111.0” and if the Cloudflare threat score is greater than 0. If both of these conditions are true, the request is flagged.

Note that you need to update MALICIOUS_UA to whatever UA you observe during the attack.

5 Likes

Thanks man!

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.