OVH is my hosting company and they provide Anti-DDoS which works very well if the attack is a direct IP attack.
They send an email when the attack is detected:
Dear Customer, We have just detected an attack on IP address 192.***.***.***. In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure. The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers.
Today, my server got hit by a botnet again (around 50k requests in the span of 5~10 minutes) which was logged after I blacklisted Hong Kong:
All of the requests looked like the above and my hosting company did not detect the attack, which meant it wasn’t sent directly against my server’s IP address. My security level is set on HIGH most of the time, and only during these botnet attacks do I set it to “I’m Under Attack”. The attack is immediately mitigated once I set the option to that. But when I choose that option, a lot of the regular visitors to my site claim that they see a blank page, so I try to not use that option as often as possible.
In the past, I’ve simply blocked entire countries like Ukraine and Russia. Today I blocked China and Hong Kong, but I also saw some of these attacks come from the US. Since a lot of my visitors are from the US, I cannot blacklist the US in Cloudflare’s Firewall. I’m wondering what method of attack the attacker is using to bypass these DDoS countermeasures and what I can do about it. I am not in the position to use Cloudflare’s rate limiting because it would cost me around $5~10 a day, which I consider too expensive for a semi-small site.