Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Detecting HTTP Floods (While using Cloudflare)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Detecting HTTP Floods (While using Cloudflare)

StellaEVStellaEV Member
edited September 2014 in Help

Ive been getting some HTTP floods flowing through cloudflare for a while now, and am looking to use mod_security to block them.

The problem with mod_security is that it doesn't work with cloudflare due to IP blocking.

I took a look at the CF api, and found that I could create a script to block the IPs directly using Theat Control. While that part is easy, I am stumped as to how to get mod_sec to pass the attacking IP (Should be fetchable from the HTTP Request headers) to the script.

I don't want to turn on "I'm under Attack" as this slows down the site, even for legitimate users.

Comments

  • use mod_cloudflare?

  • No support for nginx im afraid.

  • 90% of the time, Cloudflare does no justice into blocking attacks, I would look for another solution such as incapsula.




    Some of our Web Hosting clients are constantly bombarded with XML-RPC and HTTP based floods, for XML-RPC I can recommend adding a .htaccess that will block useragents containing "Wordpress" for HTTP Floods you can put rules on nginx, I actually made a tutorial on here to making your very own reverse proxy with nginx, but for a shared environment such as web hosting we're using litespeed and it works very well and handles php abuse (flooding on a php file) very well compared to nginx.

  • I have a script doing just that with fail2ban and nginx, I'll write a tutorial about this.

    Thanked by 1Amitz
  • SplitIceSplitIce Member, Host Rep

    FYI we (X4B) have Enhanced Layer7 filters (6 months into testing) that can be activated on request if required. Standard Layer7 filtering is always available and enabled by default (Including the blocking of attacks from compromised or vulnerable hosts/platforms such as Wordpress/XMLRPC).

    Happy to help if you have not already found a solution.

    :)

  • nexmark said: 90% of the time, Cloudflare does no justice into blocking attacks, I would look for another solution such as incapsula.

    Not true. You just need to buy 200$ plan.

  • StellaEVStellaEV Member
    edited September 2014

    @SplitIce said:
    FYI we (X4B) have Enhanced Layer7 filters (6 months into testing) that can be activated on request if required. Standard Layer7 filtering is always available and enabled by default (Including the blocking of attacks from compromised or vulnerable hosts/platforms such as Wordpress/XMLRPC).

    Happy to help if you have not already found a solution.

    :)

    Ive considered using X4B before, but at the moment too expensive since its for a personal project out of my own pocket. As a result most of this is in-house at the moment. I already have CF protecting my http(s) sites, and since they might be announcing SSL support on Monday, I will be sticking with them.

    I might take another look later on if any of my projects takes off and will need some advanced DDOS protection.

    @nexmark said:
    90% of the time, Cloudflare does no justice into blocking attacks, I would look for another solution such as incapsula.




    Some of our Web Hosting clients are constantly bombarded with XML-RPC and HTTP based floods, for XML-RPC I can recommend adding a .htaccess that will block useragents containing "Wordpress" for HTTP Floods you can put rules on nginx, I actually made a tutorial on here to making your very own reverse proxy with nginx, but for a shared environment such as web hosting we're using litespeed and it works very well and handles php abuse (flooding on a php file) very well compared to nginx.

    Not really using cloudflare to block attacks - but to block IPs that hit modsec. I will have to find a way for it to expire after X hours as well later on.

    Exactly what I was looking for, thanks!

    It seems like I can just set the CF IPs in NGINX and nginx will pass it onto modsec as if it was the right ip. I have also found that I could use SecRule REQUEST_HEADERS_NAMES with modsec if that doesnt work out.

Sign In or Register to comment.