I wish I could edit the OP but I'll give a little update here. We've moved away from Sucuri and went back to Cloudflare, this time using a different system administrator. We installed Centminmod, customized it to our needs, and placed CF proxying our domain. Since these changes, my experiences with CF are much improved compared to the first 2 times I gave them a whirl, which I think the success is mostly due to Centminmod and the new sysadmin configuring the server to play nice with CF.
We were on CF Business plan until recent (because they have an SLA saying 100% uptime from DDoS attacks, which they didn't comply with when we were attacked and knocked offline, and then was told it was our fault we haven't made specific changes in the firewall settings). Have since moved down to Pro after making multiple modifications (listed in this post) as we don't need many of the additions Business plan gave over Pro and the additional DDoS protection did nothing, and the only other thing that was beneficial is Railgun. I felt Railgun alone wasn't worth the extra $180/mo (wish we could just purchase that feature for a smaller fee). We stay within the allotted amount of Page Rules and Firewall rules for Pro so we saw this as the best way to reduce overhead and after making the changes to the firewall rules, the Business plan didn't offer any additional protection than what we get on the Pro plan now after these customizations.
While I know it can be improved, we are sitting at 70-75% caching of data, which can also help with DDoS protection. I've gotten pretty good at analyzing Firewall logs, which I didn't know what I was doing in the past when I was first using CF years ago. As such, we've been able to reduce the effects of DDoS attacks to next to nothing to the point where
I'm no longer seeing the attack attempts (inb4 an attacker reads this posts and attempts); prior to these modifications to the firewall rules we were getting attacks up to 3x/day, 5-7 days a week.
Other things we've done is:
- Only allow connections from CF servers/IPs to our server so if for whatever reason our IP address is leaked (say, if the attack is too big for CF to handle, which has happened in the past with us, they push that traffic straight to the server), now all those connections will be refused access to our server, we don't get nullrouted, and we just wait for that CF node to work again for us.
- We switched from a VPS handling our email to using Amazon SES, scrubbing the headers so the origin server IP isn't leaked. We had noticed on the VPS our emails were blocked or sent to spam due to the IP address being used in the past for spam. We use SES for our transactional and newsletters btw.
- Analyze the firewall logs each day to every couple days, making modifications to block or allow certain connections, or change priorities of rules, etc. One thing to note, there are some companies out there that are trying to monitor forums to gather data and then sell to customers and these companies send their bots out and can account for up to 50% of your connections on your site (a single one that is scanning my site is around 30% of the connections to my site currently). These bots can take up valuable bandwidth for some...so these companies/bots (i.e. Brandwatch) get a full on BLOCK from us.
- I've also put countries known for attacks and hacking on a CHALLENGE list, which I then analyze and see if we need to BLOCK anything coming from these countries. The great thing when you start adding these rules is you can see how effective or ineffective they are. For example, my Country Challenge has 7% of those connections actually completing the CAPTCHA challenge. Another one of my lists is at 5% completion of the CAPTCHA. So I'm essentially blocking 93-95% of either bots or attacks from these countries without inconveniencing many actual human browsers.
- We've effectively halted all the Chinese spam we were getting multiple times a day by placing a country wide block to our registration page (Page Rule). Sorry China.
- Made changes in the Firewall > Managed Rules > Advanced settings for each of the rule sets on that page. This is something I never realized existed so many of these have actually helped mitigate some of the attacks we were having.
- Various other things that I would like to keep secret in the event a would-be-attacker ends up reading my posts to figure out what we are doing specifically and attempting to circumvent our security protocols. However, if you are having problems with DDoS and CF isn't handling the attacks like you think they should, feel free to shoot me a PM if you can't figure out the Firewall rules, Advanced settings to change, and reading the logs.
Comparing this current set up to both DDoS Defend (rip) and Sucuri, the DDoS mitigation is roughly the same, if not better now, I can fine tune different aspects better than those other companies since I can see the logs, I'm not getting Chinese spam bots anymore, and it's saving me money each month. The only thing I'm still having problems with is many users are having issues with editing some posts (i.e. a user had put emoji's in their title and was getting errors on editing, once we removed the emojis, the user could edit...something we are looking into but it's baffling at this point).
With this type of set up:
CF = $20/mo
Amazon SES = varies depending on the campaigns we run but if you are a smaller site, there is a free tier and then you pay pennies for every 1,000 emails
This is the cheapest I've been able to get DDoS protection that works great, site being speedy, and users not experiencing many, if any, issues.