#DDos prevention tips.

I am pretty new to cloudflare and would appreciate tips on how to effectively deal with ddosing. My domains and subdomains are all proxied through cloudflare. It seems like even when i am using Under Attack Mode my website still suffers heavily from ddosing. Any advice would be helpful and i would be glad to give and relevant information on my deployment. Thanks in advanced.

Considering the amount of ddosing I am dealing with. Would it make sense to upgrade to pro for ddos protection?

If your site is being attacked and you've enabled Under Attack Mode, and you're still experiencing your origin going down, you might not be secured with Cloudflare.

Make sure your DNS records are set to "Proxied", create Rate Limiting rules (https://dash.cloudflare.com/?to=/:account/:zone/security/waf/rate-limiting-rules) and make sure Bot Fight mode is enabled (https://dash.cloudflare.com/?to=/:account/:zone/security/bots/configure)

Check your server logs. If you are seeing attacks from any IP that's not on Cloudflare's IP list, then your origin IP is exposed. https://cloudflare.com/ips

I promise you that it is being proxied

My attackers got the origin IP of my server before I put up a firewall only allowing inbound requests from my home network and Cloudflare's listed IP addresses

so i changed the origin IP AND put up a firewall preventing any access from random IP addresses

Basically, I already am proxied and have a firewall preventing ip access from non cloudflare IPs

And Bot Fight mode is on

All this is before asking this question ^^^

I did take your suggesstion and just now enabled a ratelimit

i will see how that does

If you're on a Pro or higher plan level, you can open an Under Attack ticket and @ me with the ticket number.

Apart from that, I can check on the traffic for the domain but I absolutely cannot divulge any specifics except for recommending generic mitigation.

Alright thanks . I was thinking of getting a pro plan anyways

@rich lily https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366

Ill let you know if enabling ratelimit will stop them. If it doesnt ill buy pro and make a ticket.

will read and implement.

In their first attacks despite spamming nearly a billion requests they seemed to have not been effective

because of under attack mode

just a heads up, the pro plan won't make the ddos mitigation better, however, you will get more visibility into the traffic that is reaching your site and creating firewall rules is easier

thats the problem

yeah

you are right

and i would get access to official support tailored to my needs

but they changed up their attack

creating a ticket might help with an initial response but you wont get follow-ups fast enough, currently users that sign up for pro might wait weeks between follow-ups

your best bet right now is learning how to mitigate the attack

still visualization would be helpful

oh absolutely

yes

I did country blocking since thats the main thing i can see

can you go to the firewall events and show me few samples of requests that were blocked/challenged?

yes give me a second

wait maybe i should block ipv6

can you expand the events?

yup

the user agents!

theres a lot with those user agents

the random characters

look at the ips

now the thing is i have ratelimiting on my django project

can you add a firewall rule with this expression to see if it helps?

(http.request.version eq "HTTP/2" and not cf.client.bot and not http.user_agent contains "Mozilla")

also

what action is best?

try managed challenge

if they bypass it, block

alright, thanks man

now we wait

and see

You know i swear i recognize ur profile somewhere lol

You are also in the aws discord right?

i use aws but i didnt know they had a discord channel

i dont think its official lol

So it seems like this and the ratelimit @tall silo suggested are working pretty well

its because the attacker wasnt even attempting to make realistic user agents

they will probably realize its not working and switch it up

but until then its working pretty well

@viral scroll unfortunately im still being ddosed pretty heavily

@tall silo

ok

looks like they were targetting an api

so i added it to the waf ratelimit

big whoopsie on that one

the ratelimit is whats best tho

thats been saving me the most

@viral scroll hey whats up, i was getting ddosed again and remembered you gave me good advice to help mitigate it

i was wondering if you could give me some more advice now because who ever was doing it came back and became smarter

do you have some pics of the attack?

if you are on the pro plan go to security -> events or analytics

yessir

i am not but I am willing to upgrade probably

here look

\an example

they ddos all on the query string ?id=1

so i just started blocking every single request with id=1

i need to like force every request to go thru a js challenege

i thought thats what under attack mode did but i was wrong

@viral scroll

The useragents are valid useragents

http 1.1 is probably a good indicator too

and they are randomized

i think i already give challenges to http 1.1

yeah look

the rule is named after you

because you said i should put this in LOL

@viral scroll

xD nice

lets see if that works out

its already been in there

the only reason my backend isnt like

severly crippled rn

is because i blocked all their requests on /?id=1

if you update to pro id open a ticket to report the missed attacks

wont get you inmediate help but the team can look into it

yeah

i used to have it

on a different domain

it was pretty nice

@viral scroll quesiton

if the waf goes in order

how come this is not blocked by the http version filter i have

its blocked by a different rule

wait i know why

it only blocks if the useragent also does not contain mozilla

so ill remove that for now

yeah that worked really well for me @viral scroll good call out

all of those requests were on http 1.1

lucky. my attacks and legit traffic is all http/2

The people attacking me are dumb

Idek who they are

But they are attacking the same query

So I can just block that if I wanted to

LOL

Mine seem to be bypassing managed challenges completely doesn't even say they solve them

Wtf

#1232493964536447017

That’s wild

and thats one of my tiny attacks

It’s probably something with ur config

Why r u getting attacked

Do you know?

probly the YT channel that owns us ¯_(ツ)_/¯

I am having a really tough time managing my issue they look like legit browser sessions they have legit looking referers, a very diverse user agent source, diverse headers

is there anyway in cloudflare to like

look at the tls fingerprints

or somethign

or a way to like block ips if they pass a certain amoutn of rules broken

idk :/

what i used to do

to like temp fix the problem is just disable and change the subdomain

LOL

@sleek bay

is it possible that your server is allowing requests from outside of cloudflare

on my server the only inbound requests allowed are from cf ips

both aren't possible

yeah i m not an expert tbh

i dont know what id do in your situation

i have an ss of like

a billion requests in a day