Why doesn't cloudflare protect against ddos?

V

Vincent12022-03-05 23:46:06

DDoS Protection

Vincent1, 2022-03-05 23:46:06

Site behind Claudflare, activated "Under Attack Mode". And all the same shaft there are requests. Adding these ip from the Apache log does not change anything at all. In Apache ip I define like this%{X-Forwarded-For}i

spoiler

3.110.224.178, 3.110.224.178 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"
20.213.136.30, 20.213.136.30 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Linux; Android 10; PCT-AL10 Build/HUAWEIPCT-AL10; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.115 Mobile Safari/537.36 WeRead/6.1.0 (Android; 29; Screen/1080x2208; Scale/2.55)"
20.110.224.153, 20.110.224.153 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://www.kino-teatr.ru/" "Mozilla/5.0 (Linux; Android 4.4.2; SM-T217S Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36"
94.131.207.4, 94.131.207.4 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
73.100.47.167, 73.100.47.167 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36"
146.59.45.142, 146.59.45.142 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
34.95.51.229, 34.95.51.229 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://yandex.ru/search/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
13.70.42.16, 13.70.42.16 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://google.com/" "Mozilla/5.0 (Windows NT 6.0; rv:38.0) Gecko/20100101 Firefox/38.0"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"
34.211.91.234,139.99.99.165, 139.99.99.165 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
219.78.0.27, 219.78.0.27 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
51.120.77.140, 51.120.77.140 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://vk.com/" "Mozilla/5.0 (Linux; Android 5.0.2; SM-T350 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Linux; Android 4.0.4; BNTV600 Build/IMM76L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Safari/537.36"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://www.drom.ru/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.13 Safari/537.36"
217.146.13.86, 217.146.13.86 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://klops.ru/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; GWX:RESERVED)"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Linux; Android 4.4.2; GT-P5210 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://vk.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://www.kinopoisk.ru/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"
47.115.6.196, 47.115.6.196 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://yandex.ru/search/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36"
20.114.240.105, 20.114.240.105 - - [05/Mar/2022:23:24:08 +0300] "GET / HTTP/1.0" 503 1532 "https://www.sports.ru/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"
221.132.113.188, 221.132.113.188 - - [05/Mar/2022:23:24:08 +0300] "GET /?0.3382341354758007 HTTP/1.0" 503 1698 "https://sudonull.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"

netstat -antu | awk '$5 ~ /[0-9]:/{split($5, a, ":"); ips[a[1]]++} END {for (ip in ips) print ips[ip], ip | "sort -k1 -nr"}'
95.216.145.50 - like my vps ip.

spoiler

7471 95.216.145.50
20 0.0.0.0
15 172.70.210.191
15 162.158.190.153
14 172.70.210.13
14 172.68.25.140
13 51.77.66.181
13 172.70.34.73
13 172.70.206.173
12 172.68.24.189
11 172.70.211.76
10 172.70.35.62
10 172.70.211.88
10 172.70.206.81
10 172.70.206.187
10 172.70.134.99
10 162.158.178.121
9 172.70.134.113
9 172.68.253.5
9 162.158.179.172
9 162.158.119.100
9 141.101.84.59
9 108.162.249.17
8 172.70.135.64
8 172.70.135.58
8 172.70.122.83
8 172.68.253.53
8 162.158.178.206
8 162.158.126.167

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

SKEPTIC, 2022-03-06
@pro100chel

There is a software that pulls ips from the Apache log that make too many requests and add them to the cloudflare firewall, which will not let requests from these ips at all.
This raises the eternal question of the inefficiency of cloudflare. It seems to be there and seems to protect against L3-L4 attacks, but when it comes to L7, and especially on a free plan, everything becomes too bad.
In general, when it comes to dudos, you either have to make some crutches yourself, or you can pay good money for normal protection.
Let's think about what can be done. If you are ready to pay at least 8,000 rubles for protection, then go to ddos guard. He does a good job with dudos. The scheme is almost the same as Cloudflare - reverse proxy. Only on cloudflare you need to delegate the domain, but on ddos guard you just need to register an A record with the domain registrar. Previously, ddos guard had a free plan. Now, unfortunately, it has been removed.
The next option is free. First, you need to understand the situation. First you need to analyze your project. What is his target audience? You need to answer the questions: who is trumpeting me? why does he need it? What resources does the attacker have?
Next, you need to think about a way out of the situation. Initially, you need to determine what exactly this attack prevents you from doing. Does it load the server at 100%? What exactly is loading the server? Apache? php?
As an option, switch to php-fpm >=8.0 + nginx. Yes, this is not a solution to the problem, but it is already a small step towards solving this problem. Next, you need to look at your server. If this is a virtual hosting - run to vds. Now in 2022, hosting is a very strange decision. If you already have vds - increase the amount of resources (many cloud providers provide the ability to pay by the hour and increase / decrease resources when you need it). If the brakes go away and the site works fine, this will make the attacker think that more effort needs to be put into the attack. Next, you just need to monitor the load. If the increase in server resources did not help, or if the attacker used additional resources, move on.
And then you need to analyze the attack itself. The least that can be done is to break through the ips of the attacker. I took a look at a few of them - these are the ips of cloud providers. And in some Pakistan or Canada. If you don't have an audience there, create a rule in cloudflare that only ips from Russia or wherever your target audience can access the server. You can select multiple countries. Such a move will significantly reduce the resources of the attacker. And Russian ips can already be stored in some log and addressed directly to the hoster that services these ips. You can also report it to the police. In Russia, this is 272,273 of the Criminal Code of the Russian Federation.
Moreover, it will be very difficult for an attacker to find resources to attack in a particular country. They usually pipe from some hacked servers/computers. And these resources for rent will be very expensive for the attacker.
As a result, we have - we allow, at the cloudflare level, access to the site only from countries where our target audience is located, set the software to automatically blacklist IPs to cloudflare when a certain threshold of request frequency is exceeded, increase the amount of resources on our server, switch to a more modern technology stack.
If all this did not help, then you are either a good specialist and rummage around how to defend yourself from dudos, or you pay off $ 100+ a month for protection. More or less large projects roll off more than one thousand, or even more than one tens or hundreds of thousands of dollars a month for protection. But even within $ 1,000 dollars a month, you can find worthy options for protecting against attacks.

A

Andrey Gavrilov, 2022-03-06
@thexaver

https://support.cloudflare.com/hc/en-us/articles/2...
You need to do it, well, you need to be able to configure it.