Dealing with DDoS

JoyFreak

Well-known member
I’ve been getting ddos’d quite a bit recently, where a high number of bots are sent to my webpage. I’m using CloudFlare and it always hits a rate limit with a 1200 error. I have to put my website under attack mode for this error message to disappear. It seems to happen frequently and doesn’t seem to be an efficient way to deal with it. How do people deal with this and what is a permanent fix where this doesn’t happen and my website stays online consistently?
 

JustinHawk

Well-known member
I’ve been getting ddos’d quite a bit recently, where a high number of bots are sent to my webpage. I’m using CloudFlare and it always hits a rate limit with a 1200 error. I have to put my website under attack mode for this error message to disappear. It seems to happen frequently and doesn’t seem to be an efficient way to deal with it. How do people deal with this and what is a permanent fix where this doesn’t happen and my website stays online consistently?
Use a server that comes with ddos protection and put that server behind nginx proxy server to hide real ip of server. If someone has real ip of your server even cloudflare can't do much. Though better buy a ddos protected server. I think the cost as such of that would be around 100$/month or less from OVH.
 

JoyFreak

Well-known member
I’m currently with Linode. Isn’t there anything I could do on the server side and/or via CloudFlare rather than having to switch hosts?
 

rdn

Well-known member
Try to come up with a custom firewall on CF to combat those Application attacks.
 

Baby Community

Well-known member
Me too https://www.bebekforum.net.tr/
There was a lot going on on this site. I was looking at the source of the attack. If it was coming from abroad, I would close the entries from abroad. If it was from within the country, I was temporarily closing the entrances from the country. I was constantly being attacked. It looks like a rival site's game. Your rise must have bothered them. I suffered a lot from these attacks. But there is a method to this. My method drops your hit. When I was at the top for a while, I fell down in google rankings..
 

JustinHawk

Well-known member
I’m currently with Linode. Isn’t there anything I could do on the server side and/or via CloudFlare rather than having to switch hosts?
Buy a server firewall from blazingfast.io and configure the nginx proxy/firewall in between, that they provide for ddos protection.
 

javakhir

Active member
if attacker already knows your server ip, you must ask your hosting to replace existing to new one! this is a must before buying protection
if attacker uses Layer 7, cloudflare won't help you, it protected against old Layer 4 ddos method. they simply can find attackers ip addresses, complaint to hosting to shut down attackers servers, this is how cloudflare works. but still, try their Pro plan $20 per month

if you can pay one time, hire a developer, not a coder, to set up protection in your server, that would take time, because there are at least 50 attack method exist

or get stormwall.pro for $100 per month, no one can bring your web down
 

eva2000

Well-known member
I’ve been getting ddos’d quite a bit recently, where a high number of bots are sent to my webpage. I’m using CloudFlare and it always hits a rate limit with a 1200 error. I have to put my website under attack mode for this error message to disappear. It seems to happen frequently and doesn’t seem to be an efficient way to deal with it. How do people deal with this and what is a permanent fix where this doesn’t happen and my website stays online consistently?

Just my AUD$0.02 again :)

Cloudflare's tools for DDOS attack mitigation have grown a lot over the years. You can start with the Cloudflare Community tutorial section https://community.cloudflare.com/tag/tutorials. Specifically for https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366

You can extend your origin server logging and inspection to see what requests hit your origin server and inspect Cloudflare web analytics to see if can find patterns of access to restrict.

You can use Cloudflare Firewall's fields to create Firewall rules to restrict access https://developers.cloudflare.com/ruleset-engine/rules-language/fields/ as there are more advanced static, dynamic fields and request header, body fields and response fields you can create Cloudflare Firewall rules from - including using IP reputation (CF Threat Scores) and for CF Enterprise plans Bot Management (CF Bot Scores). Soon you'll be able to also utilise CF WAF Machine Learning scores in CF Firewall rules https://blog.cloudflare.com/waf-ml/

As of today, we expose scores for two attack vectors: SQL injection and Cross Site Scripting. Users can create custom WAF/Firewall rules using three separate scores: a total score ( cf.waf.ml.score ), one for SQLi and one for XSS ( cf.waf.ml.score.sqli , cf.waf.ml.score.xss , respectively). The scores can have values between 1 and 99, with 1 being definitely malicious and 99 being valid traffic.

You can then use the insights you find from the inspection to tailor Cloudflare Firewall rules in conjunction with using Cloudflare Transform rules https://developers.cloudflare.com/rules/transform that can modify the request and response headers before they hit Cloudflare. So if for instance, you know that requests to a specific URL will always have a valid referrer request header, you can set up Cloudflare Firewall rules to look for that in determining if a request is valid.

Cloudflare Firewall request body fields can be one advance method but that is Cloudflare Enterprise plan only https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-body-fields.
 

JoyFreak

Well-known member
Also, Do people have their security level set to medium or high on CloudFlare? I had it at medium at first but I’ve set it to high from yesterday since the attacks. No idea if it will help in any way?
 

fionix

Active member
Actually what works well but isn't easy to setup is to use the firewall on your server to only allow CLOUDFLARE IP's, buyt the subscription from CF that allows you BOT FIGHT MODE too.

Now you are going to swicth your IP, ask a specialist to hide the IP so it can't be seen from the Internet and configure cloudflare as mentioned above.

NOTE: When cloudflare help you fight DDOS you need to be aware of that they in 99% also block for Google and other search engines, you need to make a rule in CF that allow these engines to spider your website, otherwise you get rid of the ddos but your site will suffer to rank.

I would find a specialist to help you, I tried 3 weeks when they hit us hard, with a lot of users providing nonsense or not working methods until I found a company that quickly and also cheap got it all sorted out in a few hours. Paid about 500 euro for it.

ANOTHER NOTE: Make sure you don't send emails from your server, the *******s will catch your server IP from such emails, use a service like mailjet or similar to hide your ip.
 

JustinHawk

Well-known member
Also, Do people have their security level set to medium or high on CloudFlare? I had it at medium at first but I’ve set it to high from yesterday since the attacks. No idea if it will help in any way?
I have this completely off and since you have mentioned that you got rate limited (Error 1200). I think you should check your server configuration as this more looks like your server configuration error to me.
 
Top