Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Script to enable/disable CloudFlare DDoS protection automatically
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Script to enable/disable CloudFlare DDoS protection automatically

Some of you may regularely see application layer attacks on your sites that are behind CloudFlare, apparently L7 attacks are usually the only attacks that can shutdown a site covered by CloudFlare (if you don't leak your origin IP).

The normal solution for these attacks is to go to the CloudFlare control panel and enable "I'm under attack" mode, but what if you're not online to do this or if you don't instantly notice an attack is coming in?
It gets even worse: If the attack runs for a long time without you taking any action, CloudFlare will temporarily route all traffic directly to the origin IP (exposing it to the attacker). You'd have to watch your sites for attacks constantly to not risk getting temporarily routed directly to your origin IP.
That's why I created a simple script to automatically turn CloudFlare's DDoS protection page on/off in case of an attack.

You find the script with detailed instructions here: https://vpsaddicted.com/script-enable-disable-cf-ddos-protection/

Regards

tr1cky

tsdns.io - free, redundant, DDoS-protected TSDNS

Comments

  • nice idea

  • You're writing a lot of really great tutorials mate :)

    This signature wasted 121 bytes of your data allocation.

    https://nixstats.com/report/56b53d6465689e44598b4567

  • tr1cky said: If the attack runs for a long time without you taking any action, CloudFlare will temporarily route all traffic directly to the origin IP (exposing it to the attacker).

    Would you have any source for this? I'd like to read about those details, when, under which circumstances, etc they actually switch the DNS (basically their parameters).

  • m3gfm3gf Member

    wow..good!

  • @bitswitch said:

    tr1cky said: If the attack runs for a long time without you taking any action, CloudFlare will temporarily route all traffic directly to the origin IP (exposing it to the attacker).

    Would you have any source for this? I'd like to read about those details, when, under which circumstances, etc they actually switch the DNS (basically their parameters).

    The thread is now 3 years old so things may have changed since, but under the firewall section of the Cloudflare control panel, there is an option for the business plan ('Advanced DDoS Protection') that reads "Cloudflare will stand in front of your website regardless of attack size or duration.". This suggests that they won't absorb attack traffic on lower plans.

  • Following if there's some updates on this

    ^-^!

  • combahton_itcombahton_it Member, Provider

    The idea is great, we dome something similar for our own webservers (just grab the server status, if requests per second is above XYZ -> api call -> filters on).

    What about taking directly the data from the http servers status page? :)

    combahton GmbH trading as fastpipe.io - providing Cloud and Dedicated Servers in Frankfurt, Germany

  • matthewkilpatrick said: This suggests that they won't absorb attack traffic on lower plans.

    I understand where you are coming from, even though I wouldnt necessarily interpret it that way. They could simply generally stop serving that domain. Thats why it would be great to have more information on that subject.

    Thanked by 1matthewkilpatrick
  • tr1ckytr1cky Member

    @bitswitch said:

    matthewkilpatrick said: This suggests that they won't absorb attack traffic on lower plans.

    I understand where you are coming from, even though I wouldnt necessarily interpret it that way. They could simply generally stop serving that domain. Thats why it would be great to have more information on that subject.

    Back in the days a big enough l7 attack would mean that cloudflare would disable the domain for some time, in the meantime traffic would be routed directly to the backend ip.

    I doubt they still do it that way, I think their goal back then was to mostly be a CDN.

    The script is outdated and I don't know if it still works, since cloudflare has a new API.

    Also, the ddos protection page is pretty easily bypassable.

    I have a new script that I could post in a day or so.

    There's also the rate limiting feature for smaller sites. It's pretty inexpensive if you do not have a lot of visitors.

    tsdns.io - free, redundant, DDoS-protected TSDNS

  • tr1cky said: Back in the days a big enough l7 attack would mean that cloudflare would disable the domain for some time, in the meantime traffic would be routed directly to the backend ip.

    I doubt they still do it that way, I think their goal back then was to mostly be a CDN.

    Thanks for the reponse. Any idea where some official quote could be found? Their site is not very informative on such a subject and it could be pretty unpleasant if they suddenly "reveal" the formally masked destination address.

  • eKoeKo Member
    edited May 2017

    @tr1cky said:

    >

    Back in the days a big enough l7 attack would mean that cloudflare would disable the domain for some time, in the meantime traffic would be routed directly to the backend ip.

    I doubt they still do it that way, I think their goal back then was to mostly be a CDN.

    The script is outdated and I don't know if it still works, since cloudflare has a new API.

    Also, the ddos protection page is pretty easily bypassable.

    I have a new script that I could post in a day or so.

    There's also the rate limiting feature for smaller sites. It's pretty inexpensive if you do not have a lot of visitors.

    Looking forward to test it, thanks!

  • @tr1cky said:
    I have a new script that I could post in a day or so.

    There's also the rate limiting feature for smaller sites. It's pretty inexpensive if you do not have a lot of visitors.

    Hey mate, did you find some time to post this script? Would really appreciate it!
    Thanks in advance.

  • I've got this script updated a little bit, you can see it here:

    https://bobbyiliev.com/blog/enable-cloudflare-ddos-protection-automatically/

    Hope that this helps.

    Thanked by 1truweb
  • Thanks for the necro I guess.

    Make your choice on your own But i can help you to make them right.

  • smilesmile Member
    edited August 2018

    @bobbyiliev said:
    I've got this script updated a little bit, you can see it here:

    https://bobbyiliev.com/blog/enable-cloudflare-ddos-protection-automatically/

    Hope that this helps.

    You updated this in 2015? or recently?

    Does cloudflare still do this? I highly doubt it but a script that runs by greping load is interesting(monit can do this on consideration)... Anyone do this normally? Might be good idea with server but I would never put this on a shared service like vps.

  • andrewforestandrewforest Member, Provider

    @jetchirag said:
    Following if there's some updates on this

    Aswell.

    Hostige - OpenVZ VPS, LXC & KVM Servers
    Use code ige5 and get 5% off your first payment.

  • irtehirteh Member

    Thanks for tutorial
    I am able to solve the problem

  • Is this still working?

    PopularWidget.com - Get Popular Posts for Your Websites Without Plugin

  • Cloudflare has a rest api that can be called via powershell or your choice as long as you have the api key, you can do everything from add/remove dns A records, to flip them from proxied to DNS only, or virtually anything that the platform offers in the GUI -- pro/enterprise subs get more options exposed just like the GUI but the rest api is all the same --- check out their api -- used it for a client a while back and they're thrilled to this day with the product.

    [signature exceeds limit]

Sign In or Register to comment.