#How to turn off DDOS protection on R2?

My cached endpoint is returning cloudflare ddos protection from my application when there is high traffic and it is very annoying. Do I need enterprise?!

If you're talking about an R2 Custom Domain, check Security -> Events and see what service is challenging/blocking the requests, Magic Link: https://dash.cloudflare.com/?to=/:account/:zone/security/events

@pseudo notch

it's not a ddos...

Over 200 of my users got blocked

from my own application sending myself requests

can i whitelist all ips or something. this is cached on cdn so i have no interest about stopping ddos

@pseudo notch should i be sending a user agent?

Or does this work?

You can lower the sensitivity of Http DDos with an override: https://developers.cloudflare.com/ddos-protection/managed-rulesets/adjust-rules/false-positive/

you probably should be though yea

It is not 1 false positive.

Even myself got blocked

How can I do this?

opps I meant to reply to "should I be sending a user agent"

The DDoS protection is always on. You can follow that false postive guide to lower the sensitivty

Based on the Rule ID in that one blocked event, it looks like the specific one flagging you is "HTTP requests with unusual HTTP headers or URI path (signature #61)."

How can i turn this ddos protection off. It doesn't work it blocked the creator of the app even 😂

I'm not sending a useragent

is that why

You can't turn it off. You can only lower the sensitivity of it. Did you follow the false postive guide to deploy an override?

I was thinking of sending a chrome useragent

To circumvent the firewall

I wouldn't impersonate a browser, I would just send a custom one

can you tell me what headers

cloudflare likes/wants me to send

I can't, no, I don't know the full list. Obvious ones like impersonating browser user agents/faking them/having empty can cause issues.

I would go the other way and deploy a ddos override as suggested above. You can target that specific rule and lower the sensitivity

i did deploy a ddos override

and i still got this

do i need enterprise?

i read to disable ddos

i need to get enterprise

did this accomplish ddos bypass?

no but I would wager it just needed a second to update if you changed the sensitivity

the whole ddos pipeline is a complex thing sampling only one out of a thousand requests and such

i already had everything to lowest

sensitivity

weeks ago

Enterprise can change the action to Log

what does skip mean, my assumption is skip firewall?

you already had a ddos override, and you could see that specific rule at essentially off sensitivity?

just that it matched your custom rule and skipped specific components you selected

yep

it dazzles me why anybody would care about ddosing

cached cdn files lol

this shouldnt be a thing

Yea, CF would mitigate it eitherway though because it costs their resources/network stability

how much is enterprise usually?

Interesting though, do you see a spike in analytics/think someone actually ddosed you alongside this? Would make some sense if your normal requests got captured up in a rule to mitigate the actual requests

no we just had a flash sale

and many api requests

were sent from our app

depends on the features you want and traffic. I wouldn't expect less then is a few thousand usd/month base though

few thousand

basically

we had

200k api reqs

sent to the cdn at once

like within 1 min

and they all got blocked

even devices that only connected

1 time

(my personal device and phone 4g)

are they proxied through the app/coming from your backend or just using the app's http library and thus no user agent?

they are coming from the app

and they have no headers

because i dont want to use unnecessary bandwidth

it seems "skip"

here is kipping the firewall

Just want to note this has no user agent

That's a pretty good bot indicator

Unless you're doing some weird proxy to R2 and not properly passing headers, this block at least seems legit

Oh you replied to that, yeah I'd forward client headers

I'm sending no headers intentionally yes. Which headers do you suggest i add, just user-agent?

All of them

What does all of them mean sorry? I'm not using a webapp

This is a javafx native gui

The request is being initiated

from the GUI

It's not a forwarder or anything

like are you referring to all of them like matching a browser?

Aren't bots smart enough to set a user-agent header?

ok it's not getting blocked sending user agent mozilla for now

would it be best

to set up like a small server

and just whitelist that ip directly?

then it wont ever get ddos blocked

okay

i'm sending postman useragent

to be safe lol

Custom Rules won't skip DDoS mitigation/DDoS Mitigation Rules. It runs after DDoS Protection so you'll only see the skips when http ddos isn't blocking it/otherwise you'd see http ddos blocks

Oh

What user agent would you use in your app

i just dont know what to set it as

if i leave it as java http/client

that is used by some ddos attackers too

I would just use your app name / version / platform. Having something is set is better then being empty, and I wouldn't impersonate browsers

user-agent: dwaynapp / 1.0.2 / windows

good? @pseudo notch

the format ietf recommends is this:
https://stackoverflow.com/a/2601492
dwaynapp/1.0.2 (windows)

this is browser isnt it

😄

okay

i'll go with this

if it blocks with this then idk

cani. whitelist my own ua

That ietf rfc that specifies formats is just about http semantics in general

kk sure

i for sure cant whitelist my own ua?

Enterprise could, I don't think any lower can.

you don't have any other weird/non-standard request headers, yea?

nothing

0 header

@pseudo notch what do you think about using a whitelabeler

like digital ocean spaces

which uses cloudflare as cdn

they have an option to turn off firewall

is that because they have enterprise?

I would have to understand the context to say more but yes Enterprise can set their Security Level to Off which disables a lot of security stuff including at least some http ddos stuff (although not the lower l3/l4 stuff)

are you able to lookup my endpoint or something

and see if it's off

if digitalocean can turn it off fully

then should be all good

no community champs are not employees, and that's not something even an employee would do from discord

ah ok

thanks for helping me

i just tested a few million requests with a user agent

and it worked

i'm shocked a ddosser does not know how to set a user agent lol

Telling apart automated good vs automated bad requests is hard lol

If it helps, from what I understand, Cloudflare runs a few services at Edge and in Core which collect samples all of requests. They sample pretty high (only one out of a thousand requests in some cases) and analyze headers/content, and if thinks it is malicious and over a threshold, it deploys a mitigation rule to edge matching the signature, and blocking all further requests with that signature. Eventually that rule goes away until it is needed again.
https://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/
Which matches your description/what you've seen, you got a spike of traffic with that empty user agent header and CF deployed a mitigation against it, blocking all, until traffic calmed down again. So hopefully that's the end of it if you start sending user agent and aren't doing any other weird http header/path things, at least in terms of that one rule.

That's just one of the heuristic/blocking rules though. There's other more dynamic ones like known from botnet based on various signatures/fields. If any attack is big enough to actually hurt CF, you know they'll craft something special to nuke it

isn't it as costly for cf to return a 403 blocked message as it is returning a cached json?

in fact, my cached json is even smaller than the cf blocked 403

both message are cached from edge

It doesn't know or care about that, and it blocking it ends the execution early, and if the attack is highly volumetric they'll start blocking at a lower level (L4/IP Jails)

so do you think it would make sense to completely disable the ddos on edge cached r2?

because it costs the same and makes 0 difference

0 chance of downtime for customers