Per IP rate limit with CloudFlare

J

Jernej

Verified User
Joined
May 1, 2019
Messages
8
What would be the best way to limit connections per IP when using CloudFlare with mod_remoteip to restore real IPs (without limiting CloudFlare IPs)?

The idea would be to try to prevent DDoS attacks and probing, I know CloudFlare should be able to deal with this, but just today I saw one Russian IP generate 300Mb of logs on my server within a few minutes, mostly random requests probing for phpmyadmin urls etc...

Clearly, they're somehow bypassing CloudFlare and in terms of security it's not an issue, there's nothing to be found on those URLs, but they're causing super high load on the CPU and that's an issue.

Has anyone else had such an issue?
 
Do you use CSF? I'm interested in what others have to say but you can limit the number of connections with CSF. You just need to be careful to not block real traffic. You would use a combination of CT_Limit and CT_Interval. I dont use Cloudflare so others more familiar with your setup might have a stronger suggestion.

This article explains what I am talking about

www.supportsages.com

How To Configure CSF To Prevent DDoS Attacks.

DDoS stands for Distributed Denial of Service. It is an attempt to make an online service unavailable by traffic flooding from multiple sources. Here, I am going to provide some steps to manage a DDoS attack by tweaking the features in the CSF settings.
www.supportsages.com www.supportsages.com
 
Yes, but I suspect CSF would block IPs before real IP is restored, so in essence CloudFlare IPs would get blocked/rate limited, blocking legit traffic.
 
CSF as well as DirectAdmin are not efficient when we need to block a real user IP and prevent it from accessing a domain behind CloudFlare.
 
Well, I was thinking mod_ratelimit maybe, scanning logs and banning IPs would work too but inefficient, while using mod_ratelimit would probably not be idea and I'm not even sure if it would take real IPs or CF IPs.
 
Even if you block an offending IP in a firewall using standard iptables rules it won't prevent an IP to connect to a web-server, since all requests are coming from CloudFlare IPs. We block offending IPs in NGINX in such cases (using nginx+apache).
 
Good point, I take it there's no solution that would prevent traffic from hitting apache, since real ip thing starts there, till there it's all CF traffic. I guess I was thinking just blocking such traffic on apache before PHP is executed would help mitigate such attacks (or at least reduce CPU load), but now that I think about it... you're right, it's kinda half-fix.
 
The problem is that Cloudflare's free plan (which most users opt for) typically doesn't block this kind of abuse and since server admins usually don't block Cloudflare IP's, the abuse becomes harder to block without negatively affecting legitimate Cloudflare traffic.

Things you can do to help minimize these types of threats are to use LiteSpeed and enable Per Client Throttling and reCAPTCHA Protection
and/or use a security app such as Imunify360 w/captcha enabled.
 
You must log in or register to reply here.
Back
Top