Cloudflare Cloudflare Announces Unmetered DDOS Mitigation For All Plans

Yeah I utilize that too.

But with 3.5 million request per second peak seems some just hit my server for few seconds until Cloudflare kick in.

 

It blocked 363 Million

 

I don't think your attacker is smart, he is making an impressive big attack but ineffective, if the attack still can't bypass the challenge then no matter how much it sends it won't be enough.
Smart attackers only need 10 minutes to know if their hit is enough to take your site down, they'll move on if it crashes, they'll find another way if it doesn't. I'm just seeing an obstinate person sending a huge amount of disabling attacks to your site (seems like he's hoping cloudflare will remove you from the system if you don't use the 200usd/month enterprise plan)
I still fear attackers with a very small resource but still able to bring down any website, they bypass every challenge we know: javascript, captcha...

 

Those 2 attacks earlier, totaling 20 minutes, successfully reached my server for 2 minutes (every 1st minute during the attack hit my server), resulting in a total of 780 million requests and causing my server to hang or halt.
But Cloudflare blocked the remaining 1.27 billion requests.

I don't think they can totally bypass Cloudflare; I just think Cloudflare has a few seconds' delay when the attack is too strong.

If someone can really bypass Cloudflare, a lot of sites will be in total trouble.

 

I don't even use CF UAM, cause it's to problematic with legit users.
I just utilize the custom firewall rules, rate limiting, caching, etc.

 

With much changes on the cf firewall and rate limit, this time it didn't touch my server
Still I'm not using UAM.

 

In my experience a perfect L7 attack would look like this:
1. Bypass cache, using random query 404 /asrgasrfdg /345fawsef /randomxxx... will cause the query to go straight to the backend and not be served by the cache, the backend (database server) will have to process and issue "404" result
2. bypass ratelimit, with 1 ip the attacker will send packets below the ratelimit you set, he sends an unbelievably small number of packets and use of a large number of IPs
3. bypass javascript check, using attack engine written in python, nodejs... use browser headless to handle javascript challenges
4. bypass captcha, use the api sold from the "captcha solver farm" for example 2captcha.com. they solve almost all the captcha we know: reCAPTCHA V2-V3, hCaptcha, GeeTest CAPTCHA...

Check netstat we only see about 500 to 1000con/s (too little to die), but a 20core server can die, because of cpu overload (PHP server, Mysql Server...)

 

Yes, they do this; I believe they have between 20 and 40 thousand distinct IP addresses at any given time.
And they know which page isn't cached at all.

This can be easily mitigated with CF rate limit rules and a CF custom firewall.

My average number of HTTPS/443 connected visitors per second is 1,500 to 3,500, and 1,000 to 2,000 for web sockets.
And I'm just using 6 CPU cores and 12 threads on a dedicated server .
I'll share again here once the attacker resumes.

 

I got a 3 minutes attack again today.



My custom firewall mitigated 2.2M and CF DDOS protection mitigated 1.6M.

 

@rdan Are you on the free or paid plan ?

 

Pro plan.

 

4 minutes attack.


I think "Browser integrity check" and "Security Level" isn't that useful anymore.

 

Yes, the CF security level is still good to have, but the "Browser integrity check" is prone to false positives, resulting in an immediate block rather than a request challenge.

I have browser integrity checking disabled now because I had a user with a new Ubuntu Desktop install who was using the Edge browser and was falsely blocked by BIC a few days ago.
and there's no way to enter the site.

 

This is so true, and I'm curious how to bypass the PHP/MySQL backend, Nginx alone can't decide if it's a 200 or 404 response.

This month, the low attacks I got still used 10–15 thousand unique IPs.
Even if they only run 5 requests per IP per second, it will cause the site to crash.
I have to disable some custom CF-managed challenges as they cause some issues for a few VPN users.

Never ending battle :|