What is solution when Tier1 Countries REAL ISP IPs are requesting many search attemps

hello
I realized in Pro plan there is no option to stop the USA/UK/CA/AU… IPs from REAL ISPs when they are sending huge Search requests to webserver
Rate limiting is not option if you tried once and you have tens of millions blocked items :wink: [you know why !!] ,in fact rate limiting causes so much complains ,and of course when it goes several millions you have to pay several enterpprise plan’s bills !!!

is there any option I can stop verizon/spectrum/Sky … isps individual ips who are requesting hundreds search/min?

this should become a package for pro plan
this is the most comon type of attacks in these days for certain types of sites

of course they can’t use server ip to do this ,we can easily catch them

implementing 2 options is crucial for CF pro
1- detecting search attacks from non-server sources [some people know the source of such costy attacks]
2- detecting VPN and doing what we can decide as option

such simple and yet crucial items don’t exist in pro plan and we must spend so much time to extract ips and block them manually
we need CF does this automatically based on our input

P.S.
adding search to captcha/js is disaster for any site !!

thank you

Could it be that these IPs are used for carrier-grade NAT? That would mean multiple users share a single IP which would naturally result in more requests per IP.

hello albert
this pertecular type of attack , is , END of domain , when it starts

the charactristic of it is:
suddenly , over thousands DIFFERENT IPs are sending huge requests to webserver
different forms of requests
search , get , post , head…
and the ips are 100% clean from main USA/UK/CA/AU isp s
all reports say clean 100% but its sending 1000/ 30 min each !!

it starts when an isp doesnt like your site in general ,who also has influence to trigger such A-bomb

when they dont like a lot they just ban your site but when they cant ban [because we know how to stay in legal zone] they do this

like this:

unfortunately CF pro has NOTHING to stop this type of attack
unless we use rate limiting
and estimate how much I need to pay for millions of blockages/day if I enable rate limit [I did it and it showed me not-very-friendly face !!]
thanks god I noticed when it passed 200$ and I disabled it

CF pro needs to add option to detect and bans [based on our input] such ips

I banned user agenet and this stops 1 millions/day [thanks god]
server ip also stops same requests
but this one which I mentioned is problem [and believe me , its huge problem]

just 1 matter

I see this note:

You dont have permission to see this page
but after few seconds it goes away and let us work

based on my observation
CF still has some problems

I’m afraid I don’t know why…. Rate limiting is billed based on good requests not blocked.

1 Like

See also:
https://support.cloudflare.com/hc/en-us/articles/200170196-Responding-to-DDoS-attacks

There are a number of linked suggestions and strategies along with numerous older threads on this topic in the forum with tips and tricks.

please read my second comment
price part
when you have a lot of users and also some ISPs dont like you , this happens
i was lucky I realized the price in just about 48 hours and I disabled it
if I enable it I must pay 1-2k/month just for rate limit

I forgot to mention

My site is still up and running because of Cloudflare
my site is under constant attack since 2018 in highest scale of attack
and cloudflae kept it UP/safe
so please don’t confuse my request to complain
because without CF , my site will go down in second [TESTED]
I am very grateful for that
my salute to CF

Please show my comment to higher level
I tested all the current solutions
one of CF experts [in CF community] helped me to learn such stuff few years ago ,when my site started passing 5-6 mil/month users
I confirm
there is NO solution for the problem I just said [which also ISPs know that !]
we are dealing with high profile techs in UK/USA , not just some attackers!

thats why DDoS tool doesnt detect them

solution is:
CF gives us a feature to speciafically detects SEARCH URI and KILLs them [before sending to webserver] when they behave dangerousely and go out of the limit we set [or CF sets]

and rate limit , as we say , is a trap :wink: when we are talking about Millions of blocked items/day [calculate how much !]

that stupid [apology] russian anti-ddos has this feature now , after many people asked , but I even blocked russia ,LOL
my site is not illegal [just in case]

Have you considered doing rate-limiting server side?

I dont understand what exactly you are refering to
if you see my first comment
I said its Main USA/UK isp ips
AT&T verizon … sky
and now even Ireland’s virgin added to list and Post process has become a pain

I tried almost everything I could find in last years but this time this Move !! is different
it seems the goal is cripling the domain

the whole revenue comes from those isp s and any type of limiting them makes them angry
in fact their ips are completely open [must be]
and I never saw such amount of REAL ISPs ips involve with this process
this is NOT DDoS , it is very pro and expert way of targeting a domain

and for such cases , CF has no solution

I tried to bring the case to staff but 2 of them didnt exactly understand the DETAIL which is IMP [in ticket , not in community]

rate limiting solves the problem
but it costs HUGE

You can do rate-limiting on multiple layers/levels, client-side and/or server-side, depending on your particular use-case. You need to decide on the rate limiting strategy that suits your budget, needs, etc.

For example, if your machine’s network interface or OS kernel is being overwhelmed, then application-layer rate limiting might never even have a chance to begin. You can apply rate limits at layer 3 in iptables, or on-premises appliances can limit at layer 4. You might also be exposed to tuneable rate limits applied to your system’s I/O for things like disk and network buffers.

Unfortunately, not everything is free. Especially, when it come to DDoS mitigation. Often times, that can be one of the bad actors’ goals — breaking your budget in addition to taking your service offline.

You’d said something about $2,000 per month for rate limiting with Cloudflare. That would mean you’d need to be billed for around about 400,010,000 legitimate/non-blocked requests matching the rate limiting rule’s URL per month. Billing for Cloudflare Rate Limiting – Cloudflare Help Center

Hi @artbaby - can you please email me [email protected], I will have my team to look at it and suggest available options.
Thanks,
Botir

3 Likes

done
thanks for everything

1 Like

Adding a feature in CF
which gives us hourly/daily … [the way they do] those IP/Agents/ASNs which are being defined as dangerous for pushing the webserver to failure , would be something we can even pay 50/month :wink:
I mean , CF has enough experience to define this limit which ASN/agents/ips can be considered a risk

but still enterprise for a site like mine with just 6m uniq is a lot [my Jewish blood now talks !!]

thanks for the tips

please kindly clarify that how much will cost 100 000 rate limiting
which is the only solution
also
will my own firewall rules and ip access rules be in rate limiting or , rate limiting will count those which pass my rules?

thank you for the time you spent
I don’t have issue with payment
at all

rate limit had some bugs at the begining and I saw how un-kind it can be

I enabled rate limiting and as I said , CF is the one who keeps my site up
without CF site went down in 3 sec

but
some how even after rate limiting , I still have 1 problem which I asked our CF friend to check

I found a problem in Rate limiting feature

my biggest problem in site is , SEARCH Abuse
I wanna find by rate limiting option , who is abusing my search tool
so
I tried to define:
mysiteurl/?s=

and Rate limit says I cant use ?

then
I tried
*mysiteurl/s=
s=

and rate limit detected Nothing

of course I can find them using firewall rules by adding
?s=
but
I dont want users get more agitated than they are , after the attack caused problem for me

my question is
how you definte
wordpress Search’s
options in rate limit?

as you know , wordpress’s search is:
mysiteurl/?s=

P.S
Your platform is removing the star sign I use after/before of the rule