Unusually high number of guests (4x to 5x normal)

Wildcat Media

Wildcat Media

Well-known member
I've been wondering why our forum has been sluggish the past 36 or so hours, and finally got back to civilization where I can check into it.

Looking at the number of visitors online, we're over 11,000 as I write this. Normally we'll have 2,000 to 2,500 guests.

I spot checked a few IP addresses and most of those I checked come from Brazil.

We do use Cloudflare. Yet every time I log into that mess, they've added more features, moved others around, and put a few behind paywalls now. They've made their product almost unusable IMHO.

I wouldn't exactly say we are under attack, but on the other hand, the slow access is a denial of service. I'm tempted to enable this for a short time to see if it drives off what are most likely bots. But beyond that, I can't block Brazil, for instance, as we have legitimate visitors from that country.

What else could I do with Cloudflare? I do have some bot categories blocked (like "AI" slop) but don't know what to do beyond that.
 
Within about five minutes, the "I'm under attack" feature knocked our traffic back down to normal.

I disabled it minutes later, refreshing the browser every few seconds, and the number of visitors jumped up at least 100 each time.

I can't remain in "under attack" mode permanently, so I'm going to have to dig around on how to fix this.
 
Common problem lately - AI bots and other badly behaved bots.

If you haven't already - you should install @digitalpoint 's excellent App for Cloudflare

[DigitalPoint] App for Cloudflare® digitalpoint

[DigitalPoint] App for Cloudflare®

Configure and manage your Cloudflare account from within XenForo.

As for blocking - you want to start by identifying patterns in the traffic.

Go to Security > Analytics and see whether the traffic comes from a single IP address or a range of IP addresses. Look for a common ASN for the IP addresses causing the problems.

You can then start to build custom rules blocking access to your site from the IP addresses or ASNs - go to Security > WAF > Custom rules

Also go to Security > Bots and make sure you have Bot Fight Mode turned on and Block AI Bots if required.
 
If the only unique thing is that they are from Brazil, you could make a Cloudflare configuration rule where you set your site to "I'm under attack" only if the visitor is from Brazil.


If Country equals Brazil, then enable I’m Under Attack.

If you can narrow it down to a certain ASN, just block that ASN, or at least present them with a challenge (effectively the same thing as I'm under attack, it just would be more narrowly scoped for that ASN, rather than the entire country).

1757036888689.webp
 
There's also this:

1757076496433.webp

So it gets the low hanging fruit while doing nothing for the types of bots hitting us now. As I said, Paywall. I think it's a matter of time before Cloudflare takes away the free tier entirely. Probably just a matter of months now, given the economy and the world situation. I've never thought their freemium model was sustainable.

digitalpoint said:
If the only unique thing is that they are from Brazil, you could make a Cloudflare configuration rule where you set your site to "I'm under attack" only if the visitor is from Brazil.
Click to expand...
Thanks for that tip. I think that will do what I need for now. I can add a crapload of countries to that. Based on what I'd read last night, there was a huge uptick from Brazil on many other sites as well.

I think by leaving the "under attack" mode for a couple of hours, we've discouraged them for now since traffic has been pretty much normal overnight. I don't expect they've gone away permanently though. That gives me time to identify a list of a few dozen countries to add to the above configuration rule.

BTW, I've noticed a lot more Cloudflare human verification on sites I visit now, before the site even loads. So I'm not the only one who's had to do this.
 
Wildcat Media said:
I think it's a matter of time before Cloudflare takes away the free tier entirely. Probably just a matter of months now, given the economy and the world situation. I've never thought their freemium model was sustainable.
Click to expand...

Believe it or not - they've been pretty open about the fact that the way their network operates, it is actually very beneficial to them to have their freemium model due to their scale. Something to do with network transit costs I believe. I can't find the article written by someone from Cloudflare that explained this - I'll post it if I find it.

I've also read reports from Cloudflare techs who explain that the data on traffic and attacks they see from users with free plans is extremely valuable to them for crafting defences they can sell to people on paid plans. Without all the customers using their free plans - they wouldn't have anywhere near as much data, or be altered to attack patterns anywhere near as quickly.
 
Sim said:
Believe it or not - they've been pretty open about the fact that the way their network operates, it is actually very beneficial to them to have their freemium model due to their scale. Something to do with network transit costs I believe. I can't find the article written by someone from Cloudflare that explained this - I'll post it if I find it.

I've also read reports from Cloudflare techs who explain that the data on traffic and attacks they see from users with free plans is extremely valuable to them for crafting defences they can sell to people on paid plans. Without all the customers using their free plans - they wouldn't have anywhere near as much data, or be altered to attack patterns anywhere near as quickly.
Click to expand...
That all makes sense. 👍 We've certainly provided them plenty of data over the past few years. 😁
 
digitalpoint said:
If the only unique thing is that they are from Brazil, you could make a Cloudflare configuration rule where you set your site to "I'm under attack" only if the visitor is from Brazil.
Click to expand...
I am comparing this to a Custom Rule where I could issue a managed challenge to these countries.

I am not sure, however, if this is as effective in keeping the bots at bay. However, it may be less intrusive to visitors, and it would not timeout after a given amount of time (which is another Cloudflare setting).

I don't really need the "I'm Under Attack" rule if the managed challenge would have a similar effect. Bots shouldn't be able to answer the managed challenge...
 
You must log in or register to reply here.

Similar threads

jgas
high number of outbound UDP packets originating from your server: disabled
2
Replies
31
Views
6K
Floren
Floren
Back
Top Bottom