Jump to content

Protecting a website from DDOS attacks using cloudflare

babadoctor
By babadoctor
in Programs, Apps and Websites
 Share
Go to solution Solved by Eigenvektor,
1 hour ago, babadoctor said:

…but for now I just want to worry about those attacks which require an attacker to send a massive amount of bandwidth.

Even Cloudflare will run into limits eventually. At that point there's not much you can do if you don't have the money to build up your own redundant infrastructure. It really depends on how much of a target you are. Largest known attacks on the internet were in the Tbps range. Even if you're not a direct target, the interruption this causes to other services could still affect you.

 

1 hour ago, babadoctor said:

No, the DNS lookup doesnt show the IP address or anything like that.

What about server responses? Anything in there that could give away the actual IP(s)? Hiding behind a proxy is well and good as long as you don't reveal your own location by accident.

 

6 hours ago, babadoctor said:

so then why is it that I constantly hear about websites being attacked and going offline for extended periods of time?

Not everyone uses Cloudflare, nor can Cloudflare mitigate every type of attack. Servers going offline could simply be a precaution due to security concerns. E.g. think about the recent Log4j vulnerability. Several of our customers took down their servers until we could clarify that our product doesn't even use it. There are also timing attacks where exploits may become possible once a server has been slowed down just enough, which might prompt a server shutdown until more resources can be brought online.

Posted

If I have a server which hosts a website, and then make the server only respond to connections from cloudflare, how is it possible that people find out the IP address of the server and attack it anyways?

 

shouldn't this be foolproof? so then why is it that I constantly hear about websites being attacked and going offline for extended periods of time?

 

I'm currently hosting a website this way, so I just wanted to see what mistakes were made or what I have not accounted for in protecting it.

 

Thanks

 

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, babadoctor said:

shouldn't this be foolproof? so then why is it that I constantly hear about websites being attacked and going offline for extended periods of time?

Cloudflare's bandwidth isn't unlimited. If they get hammered hard enough, the website behind it is still going to be inaccessible, at least in the region the Cloudflare server is in that is getting hammered. And depending on what your server is doing, what its responses look like etc. it may very well reveal its actual IP inadvertently. Have a look at the network communication in your browser's developer tools, see if there's anything that contains the IP behind Cloudflare.

 

Or just try a DNS lookup, does that only return Cloudflare's IP, or the server IP? Is that true for all regions over the world?

 

~edit: Also keep in mind what "denial of service" really means. It could mean hamming your server with requests until it goes down. This requires a fair amount of bandwidth on the attackers side and may be blocked by Cloudflare.

 

But what if I can find a relatively simple request that triggers a fair amount of computation on your end? I can now DOS your server by sending just a small number of requests that trigger lengthy computations. And if the server is already busy with computing results for previous requests, this can quickly snowball into an unresponsive server. Cloudflare might not actually do anything, because the number of requests is low enough to not trigger any countermeasures, but your server goes down regardless.

Remember to either quote or @mention others, so they are notified of your reply

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
53 minutes ago, Eigenvektor said:

Cloudflare's bandwidth isn't unlimited. If they get hammered hard enough, the website behind it is still going to be inaccessible, at least in the region the Cloudflare server is in that is getting hammered. And depending on what your server is doing, what its responses look like etc. it may very well reveal its actual IP inadvertently. Have a look at the network communication in your browser's developer tools, see if there's anything that contains the IP behind Cloudflare.

 

Or just try a DNS lookup, does that only return Cloudflare's IP, or the server IP? Is that true for all regions over the world?

 

~edit: Also keep in mind what "denial of service" really means. It could mean hamming your server with requests until it goes down. This requires a fair amount of bandwidth on the attackers side and may be blocked by Cloudflare.

 

But what if I can find a relatively simple request that triggers a fair amount of computation on your end? I can now DOS your server by sending just a small number of requests that trigger lengthy computations. And if the server is already busy with computing results for previous requests, this can quickly snowball into an unresponsive server. Cloudflare might not actually do anything, because the number of requests is low enough to not trigger any countermeasures, but your server goes down regardless.

Yes, that's true, there are many ways in which you can perform a denial of service through causing my server to run computationally intensive tasks, but for now I just want to worry about those attacks which require an attacker to send a massive amount of bandwidth.

 

No, the DNS lookup doesnt show the IP address or anything like that. 

 

The way I went about blocking it was just setting UFW to only allow access to cloud flare's IP addresses.

 

 image.png.c35548ae999262bd2969b300f873b97c.png

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Solution
1 hour ago, babadoctor said:

…but for now I just want to worry about those attacks which require an attacker to send a massive amount of bandwidth.

Even Cloudflare will run into limits eventually. At that point there's not much you can do if you don't have the money to build up your own redundant infrastructure. It really depends on how much of a target you are. Largest known attacks on the internet were in the Tbps range. Even if you're not a direct target, the interruption this causes to other services could still affect you.

 

1 hour ago, babadoctor said:

No, the DNS lookup doesnt show the IP address or anything like that.

What about server responses? Anything in there that could give away the actual IP(s)? Hiding behind a proxy is well and good as long as you don't reveal your own location by accident.

 

6 hours ago, babadoctor said:

so then why is it that I constantly hear about websites being attacked and going offline for extended periods of time?

Not everyone uses Cloudflare, nor can Cloudflare mitigate every type of attack. Servers going offline could simply be a precaution due to security concerns. E.g. think about the recent Log4j vulnerability. Several of our customers took down their servers until we could clarify that our product doesn't even use it. There are also timing attacks where exploits may become possible once a server has been slowed down just enough, which might prompt a server shutdown until more resources can be brought online.

Remember to either quote or @mention others, so they are notified of your reply

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programs, Apps and Websites

×