What is the best way to handle a false positive?

Hello all,

Around the end of July, we have a big sale coming up and we are expecting large legit traffic on a single day (rather a few hours). I have looked up her URL: developers. Cloudflare. com/ddos-protection/managed-rulesets/adjust-rules/false-positive/
but we don’t have a single DDoS log entry so I am kind of stuck as to what would be the best way to move forward to avoid false positives?

Any help would be appreciated. TIA

What Cloudflare plan are you using? Free, Pro, Biz or Enterprise? What e-commerce application you using?

For paid plans you can ask/email/ticket support to see if CF has any recommendations or directions to resources for your usage requirements. Paid plans also get higher quota rules for various useful CF Firewall/Page Rule/Transform rules etc as well as more extensive web/firewall/cdn cache analytics which are useful to better custom tailor your site’s usage with https://www.cloudflare.com/plans/#overview.

You can see if any existing Cloudflare support articles cover your web app/scripts at https://support.cloudflare.com/. For some e-commerce sites https://support.cloudflare.com/hc/en-us/sections/200820648-e-Commerce

Unfortunately or fortunately, the best way to minimize false positives is to understand your web application / site and how it’s used legitimately. Sometimes you can’t do that with just CF WAF managed rule set as they’re too general. Usually, I use Pagerules and Firewall rules instead of WAF to target some patterns instead.

So usual stuff like if you are only shipping or dealing USA customers, you may have higher security set for non-USA customers/visitors. Or if know only your admins are meant to have access to backend /admin pages you can put /admin behind Cloudflare Access. Or you may want to deploy CF rate limiting rules on login/registration/forget password URL paths i.e. there is no legit reason that the same IP address needs to hit login/register URL paths 100 times per second :slight_smile:

Cloudflare’s DDOS system is smart enough to not just treat large traffic levels suspiciously. So doubt you’d get false positives. But it’s good to reach out to Cloudflare support - especially if on CF paid plans and talk with them to see if your expected traffic levels won’t trigger stuff.

I think the biggest issue you may have is with visitors using VPNs - CF has a guide for that at https://developers.cloudflare.com/ddos-protection/best-practices/third-party/

Recommended DDoS configuration adjustments

If your organization uses VPNs, NATs, or third-party services at high rates of over 100 Mbps, it is recommended that you one of the following:

If you are on an Enterprise plan, you can change a rule’s action to Log to view the flagged traffic in the analytics dashboard. After gathering this information, you can later define rule adjustments as previously described.

And if you run a for profit site, definitely look at Cloudflare Business plan as it’s additional bypass cache on cookie rule and other features can help with high traffic site usage for guest visitors at least. I wrote a blog post on Cloudflare Business plan at What Are The Benefits Of Using Cloudflare Business Plan? - Centmin Mod Blog.

CF Business also has CF Waiting Room to help better manage large influx of visitors https://developers.cloudflare.com/waiting-room/ and https://support.cloudflare.com/hc/en-us/articles/360061431012

And for why higher CF paid plans have better network routing and better TTFB performance at Improving Time To First Byte (TTFB) With Cloudflare. Also from that thread I outline 3 segments to optimize and why for e-commerce or logged in user type sites that Cloudflare can only help for guests/non-logged in users, segment 3 relies on your origin server to be optimally configured to handle logged in user/cache miss requests.

And if you don’t have the traffic or data to make the decision, you can also do a mini pre-sale (limited hour/time of day sales) a few days or weeks before with CF things in place to monitor and adjust as the traffic data comes in.

1 Like

Thanks a lot for such a detailed explanation. I do have a Pro plan in place. So I might as well get in touch with someone for further guidance.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.