Why can CC attacks bypass rate limiting rules?

Requests like the following can completely bypass Cloudflare’s rate limiting rules and put load pressure on the server.

116.136.19.134 - [27/Apr/2024:11:36:39 +0800] "GET / HTTP/1.1" 200 19085 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36"

It cannot be completely intercepted through WAF interception!

Who knows how to intercept and block such malicious requests?

Make sure requests can’t bypass Cloudflare and go direct to your origin server by allowing only Cloudflare IP addresses through your firewall on port 443 (and 80 if required).

Are you restoring visitor IPs? (If not, likely that request didn’t come through Cloudlfare).

Check that your DNS records are proxied.

1 Like

Yes, I confirmed that the server side has restricted only Cloudflare node IP to return to the origin request! I use iptables to limit only ports 80 and 443:

iptables -A INPUT -p tcp -m state --state NEW -m tcp -m set --match-set CloudFlare src -m multiport --dports 443,80 -j ACCEPT

It is said to be a new CC attack method that can bypass the interception of rate limiting rules and WAF rules!

It is said that it can be bypassed by obtaining the cookie before attacking, and then attacking again!

I used force mTLS for authentication and it seems to have improved a lot.