CloudFlare security systems on! XenForo is under attack too? How is your experience with CloudFlare? And KnownHost? I had a very bad one here to share

deslocotoco

Well-known member
As i can see, XenForo turned on yesterday the CloudFlare protection system against attacks (DDoS?), i don't know if is only country applied or for every visitor.

Is XenForo under attack now? Just curiosity.

But, about the subject, i had a very bad experience with CloudFlare on mitigate heavy duty DDoS attacks, unfortunately. For some context, i have a very busy Forum that deals with politics and news on my country that is very divided right now.

In the last year, i had to contract the professional plan from CloudFlare to protect my site. I was victim of all kinds of attacks to shut down my server, specially with DDoS, force login methods, infinite GETs requests, bots, all the basic stuff easily contracted in obscure sites. Vast majority from China, and the rest, divided to Russia, some minor countries and other computers bots around the world.

The result, after expending some hundreds of dollars to pay to the service, CloudFlare was unable to protect my site, even properly configured to mitigate all kinds of attacks. The ip/country block was a joke for the attackers, basically. I never seen in my life so many attacks requests on my CloudFlare. Was bizarre.

In that time, i was using a managed hosting service in my country, that doesn't handled well the question. Moved to KnownHost, trying to seek a more professional solution. Nothing. One month of my site completely dark and burning money like Joker in the Batman movie, without any kind of revenue coming from Ads, i was completely broke and using pay-to-use services from CloudFlare.

Both KnownHost and CloudFlare stopped to reply to my emails. KnownHost abandonned my ticket after one month. More than one month trying to seek a solution specially with KnownHost, and they didn't have the courtesy to offer some kind of refund, since, well, one month without my site online is one month that a service was not provided.

I gently asked to refund my bills, on that basis, the reply was very corp style, that they will analyze the case and return back. More than one year passed after this last e-mail.

Since the KnownHost is very expensive for my currency, i had to get back to my old host solution. The attacks still going full mode and i just have to maintain at least my DB intact.

After all that, with attacks persisting in this war, after almost two months of a forced shutdown, i had a great idea to implement a cache for visitors. Had some trouble setting this up with my old, small and reliable hosting company, with a very simple solution: almost every attack was going to the cache wall. The site was back on, but with all kinds of problems with cookies. Users logging in the Forum with another credentials, even with administration powers, just because a bad configured cache. This add-on solved the problem.

After that, or the money from the group/organization who was attacking me burned out, or, the cache solution resolved all my problems.

What i don't know is why KnownHost, a very large and professional group was unable to think outside of the 'firewall' and 'ip/country blocks' common thinking and implemented this or other solution in the time. I am a very disappointed ex-consumer of KnownHost, since mostly of administrators tell wonders about their service. Day after day in the ticket, was a new guy after the old guy finished his shift, with a not so good new solution and tryout to see if was going to work.

CloudFlare just limited to reply in the time that a 'internal case study' or some kind of 'audit' was going to happen. Yeah, ok, thanks. Cancelled and got back to the free plan. Was the same service for me, paid or not.

My experience. In the middle of the chinese pandemic, loosing money day by day.

What a nightmare.
 

RobParker

Well-known member
Was going to mention this. Every visit here today gets the cloudflare DDOS protection page for a few seconds first. As I'm in the UK, I assume everyone's getting this.
 

Chris D

XenForo developer
Staff member
Yes currently have blanket under attack mode enabled. I’m sure they’ll get bored eventually.

It is mostly originating from Russia and South America so we may be able to enable it geographically but for now there’s a short delay if you’ve not visited for a bit.
 

deslocotoco

Well-known member
Yes currently have blanket under attack mode enabled. I’m sure they’ll get bored eventually.

It is mostly originating from Russia and South America so we may be able to enable it geographically but for now there’s a short delay if you’ve not visited for a bit.

Godspeed Chris. Yeah, I think they will get bored. No doubt. Happens 99,9% of the times in this non-critical attacks.

Usually the Under Attack Mode for this situation deal very fine.

And yeah, here in South America is another farm of computers bots/slaves.

Will pass soon.
 

woody

Well-known member
Yes currently have blanket under attack mode enabled. I’m sure they’ll get bored eventually.

It is mostly originating from Russia and South America so we may be able to enable it geographically but for now there’s a short delay if you’ve not visited for a bit.
I visit XF every day. Get the Cloudflare DDOS page every time, 4x today.

Hopefully Utah is not attacking..
 

Chris D

XenForo developer
Staff member
Fair amount of suspicious traffic from the USA so, alas, the blanket "under attack" mode will stay for a bit.

To put it into pictures, this is the last 72 hours:

1632866950285.png


I did experiment earlier with firewall rules to only block Russia, Czech Republic, Brazil and Mexico earlier but we were still getting relatively hammered by USA traffic too. Only problem with adding USA into the firewall rule is that's where most of our legitimate traffic comes from anyway so little point and we left the under attack mode on for everyone.

Though between us only, it seems like they might have gotten bored in the last few hours... might be time for us to switch it back off 🤫
 

Xon

Well-known member
This sadly causes the https://xenforo.com/customer-api/license-lookup.json API to become unusable for automation :(

Looks like I'll need to adjust the license validation add-on so it avoids blowing up the registration process if it can't validate the license token.
 

Chris D

XenForo developer
Staff member
It has been fixed in the last 20 minutes or so.

We had an exception for https://xenforo.com/api/* and that was working fine. We only got told recently that /customer-api calls were being affected.
 

deslocotoco

Well-known member
Fair amount of suspicious traffic from the USA so, alas, the blanket "under attack" mode will stay for a bit.

To put it into pictures, this is the last 72 hours:

View attachment 257852

I did experiment earlier with firewall rules to only block Russia, Czech Republic, Brazil and Mexico earlier but we were still getting relatively hammered by USA traffic too. Only problem with adding USA into the firewall rule is that's where most of our legitimate traffic comes from anyway so little point and we left the under attack mode on for everyone.

Though between us only, it seems like they might have gotten bored in the last few hours... might be time for us to switch it back off 🤫

Hell of attack, 7,6 millions in 72 hours we can consider of course a medium size and proposital attack, no doubt.

Now, imagine in my backstory: around ~13 million PER DAY for more than one month. A true nightmare. I don’t know until today why I didn’t give up in that time.

After that, I had to go more deep in the habit hole, and man, how is easy and cheap to contract some Botnet in the surface web. Costs nothing.

Seeing your image remember a lot of my situation in the past. And Brazil is becoming a big botnet too. To many pirate computers and softwares around here.

PS: Since CloudFlare was good for nothing for me, and, if you guys still going to have problems, the cache for guests was better than anything paid in CF. No costs, just a cache wall for guests. No server demand, no performance impact, nothing. And free. Just watch the cookies settings.
 

jeb35

Well-known member
@Chris D

Unfortunately there is a lot of USA spam, has been for years so it doesn't surprise me that there is a lot DOS'ing from USA going on too. Most of our users registering on a forum I admin, not own are spam. Unfortunately, the owner of that forum is absent and doesn't have the spam settings tighter.
 

dougdirac

Active member
I was hoping there was a way to have them edge cached with Cloudflare so my server doesn't even see them. Kinda like how Cloudflare can work with Wordpress.
 
Top