Join the community today
Register Now

Cloudflare DDOS Mitigation with Real Life Example

Discussion in 'System Administration' started by Rake-GH, May 18, 2021.

  1. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    11:41 AM
    default
    default
    This is a video I made showcasing how I use Cloudflare's firewall rules to augment it's DDOS protection. It's relatively easy to bypass Cloudflare, it's routinely referred to as a "application layer 7 bypass" or a "UAM bypass" in the booter service industry.

    My site has been getting ddosed 3-4 times a week since September, but in the past month it's been 2-3 times per day. So in this video I will walk you through everything I do to stop the attacks from hitting my server, and I will use a real life scenario.

    Since this video posted we got ddosed 3 more times and they all failed because of the settings I use.

    I hope it is helpful to those who deal with this regularly like I do. The 20$ professional version of Cloudflare is all you need + these firewall rules.

    If you are offended by words, you should not watch this video.


     
  2. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @Rake-GH thanks for sharing your process. I know at least @rdan and @BamaStangGuy probably utilise Cloudflare Firewall/WAF with similar process too.

    I do something very similar when I comb through my Cloudflare web analytics, firewall event logs and also via Cloudflare Enterprise Bot Management which is bloody awesome. Though Cloudflare Firewall and WAF are bloody awesome by themselves.

    Currently, I have 93 Cloudflare Firewalls set up to fine tune my security and now have also enabled Cloudflare Normalize URL feature now Dynamic URL Rewriting at the edge with Cloudflare and Required Firewall Rule changes to enable URL Normalization

    cf-firewall-rules-01.png

    Recently I updated a Cloudflare Firewall rule to block a specific attack that shows up in Cloudflare Web Analytics as 403 access denied HTTP status code which logged an increase.

    And in Cloudflare Firewall Events logs, I have rules that log Allowed requests, as well as Cloudflare Enterprise plan, can log simulated Firewall events without actually blocking them for troubleshooting or research before deciding to block them or not :)

    cf-analytics-403-01.png
    cf-firewall-events-01.png

    And Cloudflare Enterprise Bot Management analytics

    cf-bot-management-01.png
    cf-bot-management-02.png
     
  3. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    11:41 AM
    default
    default
    damn, Bot Analytics looks cool!
     
  4. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    12:41 AM
    Mainline
    10.2
    I don't receive much attacks this days anymore, I think they surrender already :D.
    Yes Cloudflare helps a lot.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That's good to hear :D

    It is and so easy to create Cloudflare Firewall rules to ban bots and automated attacks!

    example

    cf-bot-management-rule-example1.png
     
  6. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    11:41 AM
    default
    default
    We got 4 DDOS attacks after I published the video and they all got blocked :p
     
  7. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    11:41 AM
    default
    default
    This is pretty petty, but I couldn't resist