[HELP] DDoS Attack

[Spirit100]

Hi Everyone,

This might sound like a very stupid help thread and my mind has gone blank over this now due to hosting providers I used to use has closed down.

The issue I'm having is that someone is sending attacks to my domain which is flooding the site so making it unavailable. Has anyone got any suggestions on where I could buy a HTTP proxy? I am using CF and I have a TCP Proxy.

I have also followed a TUT on here on how to put the IP's of CF into your IIS.

Thanks.

 

[Joe]

JavaPipe are good. Not cheap though

Post automatically merged: Jun 15, 2020

You must be registered for see links

I can vouch, I’ve used these previously! Or buy an OVH game dedi (£80+) and configure the firewall.

 

[Spirit100]

JavaPipe are good. Not cheap though

Post automatically merged: Jun 15, 2020

You must be registered for see links

I can vouch, I’ve used these previously! Or buy an OVH game dedi (£80+) and configure the firewall.

Yeah bit out my price range for a hotel. I might try block some stuff in the firewall on my server as its protected from that but its being attacked through the domain. Thanks for your response

 

[BIOS]

Whitelisting CF IPs is good but isn't a silver bullet. You need rate limiting, probably be best adding a firewall rule on CF which issues a "captcha" (don't use js-challenge) to potentially malicious requests. Believe free tier customers get 5 free rules.

Check the requests you're seeing on CF dashboard, or in your webserver access logs. Try find a correlation between them i.e. are they all originating from the same ASN, similar user agent, same request path? (and so on), and create a rule to "challenge" (or if you're sure, "block") those requests.

Yeah bit out my price range for a hotel. I might try block some stuff in the firewall on my server as its protected from that but its being attacked through the domain. Thanks for your response

You're much better blocking it before it reaches your server i.e. at Cloudflare level. If you block on your server, it still has to process the request even if it's only a small burden, it adds up.

This needs updating but might also be useful:

You must be registered for see links

 

[Hypothesis]

Most attacks these days are Layer 7 and can bypass CloudFlare captcha as their not seen as bots or any specific malicious network, they're just hijacked computers or servers, so it's hard to block them. I wouldn't suggest rate-limiting on CloudFlare as the bill will run up quickly and you only get 10,000 requests for free. That sounds like a lot right? Nah, that'll add up very quickly, mostly from people even just visiting your hotel. What you could do is add a check for your URL and make a website redirect so that way all the traffic gets redirected to a specific URL which tends to block any types of requests that are not actual people. But then you'd have to also add a check for parameters, even with a check on that, they could still just switch to another header method such as post.

My recommendation is that you look into adding a captcha to your website that isn't CloudFlare, so that way all traffic must go through a captcha before their session is accepted.

 

[BIOS]

Most attacks these days are Layer 7 and can bypass CloudFlare captcha as their not seen as bots or any specific malicious network, they're just hijacked computers or servers, so it's hard to block them. I wouldn't suggest rate-limiting on CloudFlare as the bill will run up quickly and you only get 10,000 requests for free. That sounds like a lot right? Nah, that'll add up very quickly, mostly from people even just visiting your hotel. What you could do is add a check for your URL and make a website redirect so that way all the traffic gets redirected to a specific URL which tends to block any types of requests that are not actual people. But then you'd have to also add a check for parameters, even with a check on that, they could still just switch to another header method such as post.

My recommendation is that you look into adding a captcha to your website that isn't CloudFlare, so that way all traffic must go through a captcha before their session is accepted.

They can bypass Cloudflare js-challenge, not the real CAPTCHA (and that's because js-challenge is literally just asking the client to compute a basic math equation in JS, shouldn't ever really be depended upon). You can use 5 firewall rules on CF for free (and set them to CAPTCHA or block all together if you're confident of no false positives), and then configure rate limiting on your own server e.g.

You must be registered for see links

, for anything that gets past those rules.

Adding a CAPTCHA to the site wouldn't really do a lot in this case. Sure it'd maybe stop bots being able to login and access other areas of your site, but ultimately you'd still end up processing all the malicious requests at your origin (seen 25M+/day in some cases), chances are you'd still get knocked offline pretty quickly from them hammering your CAPTCHA page, especially without tuning the server or adjusting connection hard limits.

 

[Spirit100]

Does anyone know who seels HTTP proxies? Or would it be worth while upgrading the CF to $20 a month?