What should I do after an attempt to DDoS my site?

Hello there, my site just faced 32 million requests which lasted for 2 hours.
It was pretty intense (to me, at least) and my server provider sent emails to me complaining about my inbound and outbound usage.

Now, as I am no longer under attack, what should I do to learn and prevent this from happening again. I’ve currently added a firewall rule to give a JS challenge to the countries that “participated” the most in the attack. Is there something else I should do?

First off, by using Cloudflare you took every reasonable precaution and the hosting company should be thankful for that. You can also add a Firewall rule to challenge based on threat score. e.g. (cf.threat_score ge 15)>
If you’ve reviewed your server logs, is there anything that stands out or what they were trying to access?

Thank you for the reply,
I currently do not log requests, is this something I should be doing?
I feel like this would be bad to do as I’ve read in multiple articles that logging every request would decrease performance under heavy load, so I decided not to.

Personally, I think access logs are necessary but if you don’t have any, it’s not going to do much now.
You can check the Cloudflare Firewall Log details and depending on your sites requirements, create rules for URI (only allowing certain IP/AS to the backend) or request method (e.g. connect, delete, options, put, trace, track etc.)

This topic was automatically closed after 14 days. New replies are no longer allowed.