Hello,
Yesterday at 8 pm locall time, my website encountered an error 524.
Upon some investigation inside my cloudflare account, I noticed a unusual surge of activity from Finland:
I had to create a firewall rule to challenge this request of traffic from this very specific IP address.
I also created a rule to block this same IP inside AWS .
Only after doing this my site was back online.
Why did Cloudflare fail to block this unusual activity?
It must not have looked suspicious enough. Did it all hit a specific URL?
It’s what called layer 7 attack.
Cloudflare alone isn’t enough and no automated way to deal with it as layer 7 attacks are application level attacks and Cloudflare has no way of automatically knowing what your application is and whether it’s a legit request/traffic type for your application. You’d have to tell Cloudflare what is legit or not via CF WAF/Firewall Rules or custom CF Worker based logic. But Cloudflare isn’t useless, as there are other DDOS attacks at Layer 1-6 which can be even more costly to defend against where Cloudflare helps for those 
Cloudflare even states it’s difficult to defend against Layer 7 attacks https://www.cloudflare.com/en-au/learning/ddos/what-is-a-ddos-attack/
Application Layer Attacks
The Goal of the Attack:
Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the resources of the target. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is cheap to execute on the client side, and can be expensive for the target server to respond to as the server often must load multiple files and run database queries in order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult to flag as malicious.
Everything from one single IP, with over 10 request per second coming from that hosting server company. It hit a myriad of url’s, some I didn’t even know existed for my site.
Wow, that’s crazy! Thanks for the information.
This topic was automatically closed after 30 days. New replies are no longer allowed.
