Website is attacked by PassDDos

Hello,

I’m using Firewall rule to Challenge all IPs. Of course, I have turn on Proxy Cloud icon in DNS record. But when i see “Visitors” in cPanel of my host, there are too many traffics like this: “https://mywebsite.com/?=Best_HTTP_Flooder_For_FREE_by_PassDDoS17283”. My domain is off.

I also try to turn on “I’m under attack mode”, but many IPs can pass my Firewall Rule. I don’t understand.

Please help me! Thank you!

  1. If your server doesn’t firewall all traffic that doesn’t come from Cloudflare IP addresses, attackers might be bypassing Cloudflare and attacking your site directly.
    https://www.cloudflare.com/ips/
  2. You can create a Firewall Rule to block any request with that ddos phrase in the URL.

2 Likes

Thank you for your support,

I have just created this Fire wall rule. This solution seem not effective. There are too many IPs can pass Cloudflare and inundate cPanel.

3 days ago, my website is attacked by over 10 millions traffics/ 24h. Since this attack, Cloudflare maybe blocks and does not support my website. I don’t know if Cloudflare limits the size of DDoS? I need upgrade my tier?

Thank you!

No, Cloudflare has unlimited DDoS mitigation for all plans, even Free.

Have you actually tested the firewall rule? It blocked my request.

Thank you for your support,

I have just created this Firewall rule (URI query contains). This solution seem not effective. This firewall rule only block some of millions traffics.

In “Visitors” of cPanel on my hosting, so many traffics with “Refering URL” like this “http://www.usatoday.com/search/results?q=http://172.96.XXX.XXX”, i have also created Firewall rule to block all Referer which contains “172.96.XXX.XXX”. But Not effective also.

Please help me! Thank you very much!

As I demonstrated, the Firewall Rule works. This really looks like they’re bypassing Cloudflare as I suggested in my original reply. Is 172.96 the IP address of your server?

yes, 172.96.XXX.XXX is my IP of Cloud Compute Hosting. Maybe, this attached can pass Cloudflare. I have add the PHP code in .htaccess:

RewriteCond %{HTTP_REFERER} .172.96 [NC,OR]

I want to block all traffics from Referer which contains string 172.96. But not working also. Could you give some guide.

Thank you very much!

Cloudflare can’t protect against direct attacks on your server’s IP address. You need to have your host block all requests not coming from Cloudflare IP addresses.

Hello,

I have added this PHP code in .htaccess to allow Cloudflare IPs and block other:

#Allow Cloudflare IPs and Deny other
order deny,allow
allow from 173.245.48.0/20
allow from 103.21.244.0/22
allow from 103.22.200.0/22
allow from 103.31.4.0/22
allow from 141.101.64.0/18
allow from 108.162.192.0/18
allow from 190.93.240.0/20
allow from 188.114.96.0/20
allow from 197.234.240.0/22
allow from 198.41.128.0/17
allow from 162.158.0.0/15
allow from 104.16.0.0/12
allow from 172.64.0.0/13
allow from 131.0.72.0/22
deny from all

But It block all. 500 Internal Server Error. Please guide me!!! Thank you very much!

Hi there,

This type of htaccess block will not help as from what I see you’re getting the Header IP of the clients. If you have VPS/Dedicated server I would suggest to block all incoming requests to 443 and 80 ports via IPTables and allow only CloudFlare IPs.

If you have SSH access to your server, you can use the following commands:

iptables -A INPUT -p tcp --dport 80 -s 173.245.48.0/20 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 103.21.244.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 103.22.200.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 103.31.4.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 141.101.64.0/18 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 108.162.192.0/18 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 190.93.240.0/20 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 188.114.96.0/20 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 197.234.240.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 198.41.128.0/17 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 162.158.0.0/15 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 104.16.0.0/12 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 172.64.0.0/13 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 131.0.72.0/22 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -s 173.245.48.0/20 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 103.21.244.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 103.22.200.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 103.31.4.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 141.101.64.0/18 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 108.162.192.0/18 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 190.93.240.0/20 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 188.114.96.0/20 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 197.234.240.0/22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 198.41.128.0/17 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 162.158.0.0/15 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 104.16.0.0/12 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 172.64.0.0/13 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 131.0.72.0/22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j DROP

iptables -A INPUT -p tcp --dport 443 -j DROP

Important NOTE: This will drop any connection coming directly to your server under 80 and 443 ports, if you have any other website hosted under your server which is not on CloudFlare, the above actions will make those websites inaccessible.

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.