Why was traffic spike not blocked?

We had a huge spike in traffic earlier today, which we suspect was a DDoS attack. We notice a spike over normal traffic (about 2-3 times normal traffic) starting around 18:45 yesterday and it was pretty consistent, when suddenly during the 0500 hour this morning, it spiked like crazy

As you can see most traffic was from France.

Now, if I check the firewall, I see that the firewall rules blocked serveral requests till about 0300 hours and then almost everything was passed through – including during the 0500 hour spike

the top 2 IP addresses that were blocked, are again from France.

so I am trying to figure out why CF was able to block the traffic earlier but really failed to do it, during the actual peak – fortunately other than a few timeout errors, this was sustained pretty well by our server, but as you can imagine this is concerning as we rely on CloudFlare’s firewall to block such attacks before they reach our server.

I see that the new DDoS rules have been added

and per the documentation they are enabled by default - so I am really not sure why it did not work here?

Here’s a good reference video:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.