Why is CloudFlare DDOS-ing our website?

Hi,
We came under DDOS attack a few days ago. There were a ton of IPs that were attacking us, at the same time over 250 access requests per second. On taking a closer look all the IPs belong to Cloudflare, but that is strange as we use Cloudflare CDN.

Some examples are - 108.162.237.128, 108.162.237.136, 108.162.237.148, 108.162.237.150, 108.162.237.152, 108.162.237.158, 108.162.237.160, 108.162.237.168, 108.162.237.20, 108.162.237.210, 108.162.237.212, 108.162.237.220, 108.162.237.32, 108.162.237.58, 108.162.237.62, 108.162.238.103, 108.162.238.15

It makes no sense, as when we turned we are under attack mode on, the DDOS attack went away. Then we turned it off, we again saw same IPs attacking us.

Then we blocked 100’s of IPS so then our CPU usage became bearable.

We are on a VPS and Cloudflare has been our CDN and suddenly its IPs are attacking us since 5-7 days Is there some settings mismatch?

Any help is appreciated. website: www.gadgetbridge.com

Regards

Not strange at all. Cloudflare is a reverse proxy, so all connections come through Cloudflare. You’d need to configure your server to do this:

https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

3 Likes

Hi,
Thanks, so that means CloudFlare is not DDOS-ing us, but all the DDOS attacks are routed through CloudFlare since we use it as CDN?

Correct and because it goes through CloudFlare you can use the tools CloudFlare has to stop it.

First steps can be found here:

The key part being to analyse the data you gather from your Firewall Events Log so you can start mitigating the attack with Firewall Rules etc.

Cloudflare just hides the IP of the direct machine so that users aren’t able to run direct attacks. Your service though could only be capable of 400requests a second per core and if say a user was able to send 20+ concurrent connections and overflow the requests you’re DOS’d…

CloudFlare in my experience is just piece of mind for hiding your networks IP addresses through the proxies offered.

So in a TL;DR you should expect a DDOS and if services are over-whelmed, have a fail-safe in place if necessary or run more servers before the end-points so discovery/spam is not an issue.


With all that said, CF cannot limit the rates because it’s the internet. To limit you are preventing site expansion and all sorts. The process of connection is SYN ACK. To synchronize can be spoofed but the response is acknowledgement, it’s very easy to mess with this process and say send a fake header stating the wrong IP with no expectation of ACK. So know SYN attacks (spoofed) is common.

To keep it simple, DDOS will forever happen… No one will save you but a server that can devour the attack but being a small business you aren’t looking to put thousands towards servers.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.