Evgenii Goryaev
Development, support and optimization

DDos protection with Cloudflare

Poster for the article DDos protection with Cloudflare

I must admit that I used to be quite skeptical about Cloudfelur and other companies providing a similar service (web traffic proxying through their network of servers, web firewall, didos protection, caching and other goodies). So I treated them until I had a chance to fall under a high-quality DDoS attack.

Background

Last week I had to urgently rescue one of my clients, who was hosted on a weak server rented independently of me. It was necessary to save from a DDoS attack on his site. The attack consisted of requests to various pages of the site at a speed of 6-7 thousand requests per second - which, of course, will put almost any unprepared site and its server, even if you give static.

It is necessary to tell, as the client server - lay down at once. Moreover, disabling the site that worked in the docker did not help. Traefic, in the form of a balancer all alone, responding to all requests with a 404 code: on a server with an i3 processor and 4 gigs of RAM, it devoured 100% of resources already at 1t requests per second.

In the event of such an attack without cloudflare, nowhere ..

What to do if the attack is already underway?

Activirum Cloudfler: changing domain dns servers

One of the first problems is that the attacking network already knows the real ip of the server. Even replacing dns records with cloudfell ones will not improve the situation much, but this is the first step. When adding a new site to the Cludflare control panel, the current dns records will be loaded automatically from the current dns servers.

Configuring DNS in Cloudflare

After the domain is delegated to new DNS servers, it is necessary to note which domains we will send traffic directly and which will be proxyed through Cloudflare.

Transferring the site to a more powerful server

If possible, it is necessary to transfer the site to a more powerful server so that it can process additional requests, even with a 403 response for visitors who bypassed cloudflare.

Deny access to everyone except the CloudFler network

If the server has nginx as a balancer, as it was in my case, then you can disable all connections, except for those coming through a web proxy, like this:

Create a config with a list of cloudflare networks (for example, in /etc/nginx/cloudflare-only.conf):

#https://www.cloudflare.com/ips
#IPv4
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
#IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;
# Deny all others
deny all;

Then we connect it to the desired context of the nginx config (either to the http section - to apply the rules for the entire server as a whole, or to the server section - then the rules will affect only this part of the config).

server {
        listen 443 ssl http2;
        include /etc/nginx/cloudflare-only.conf;
...

Activate Web Firewall in Cloudflare Control Panel

For a fairly successful fight against an attack, it is often enough to introduce 2 rules. The first is to block all traffic from the territory of countries in which the company does not do business (usually this is all but one country).

Configuring DNS in Cloudflare

Secondly, we activate the Managed Challenge for visitors to the target country.

Configuring DNS in Cloudflare

In addition, we select the “under attack” mode in the site settings. Such simple, and most importantly, almost free actions allowed me to repulse the attack that tormented the client's website. Hope this helps you too.