Is
We did receive a bunch of "attacks" (a mix of scrapes and web application vulnerability seeking) on our website as well the last weeks/months, but were able to block them with very selective Cloudflare security rules, which did/do not affect common usage in any way.
One case was a weekly occurring massive traffic event, lasting for 1-2 days every week, typically between Tuesday night and Thursday morning. Hourly traffic went up from ~10 GiB to ~1 TiB, factor x100. Larger OS image downloads were done in endless cycle, the same files over and over, fully downloaded by the respective clients. Luckily we did not recognize it outside of logs, since like 95% of the traffic was served from Cloudflare cache:
Other significant attacks were originating from individual IP addresses, hence also possible to block efficiently without affecting website operation. Cloudflare DDoS protection does not kick in below a certain threshold, which may be quite high. In one case, after enabling the security rule for a single IP address, it blocked ~150,000 requests within a few hours. I mean those did not cause any problems on our server, as they did not download anything like the mdrv case above, but were more about looping through a large number code/database query injection attempts, which does no harm on a properly setup server (keep your software updated!), but the malicious pattern was obvious.
Also note that, both above cases, were, at least mostly, no CLI tool requests. They did execute our JavaScript Matomo tracker, like a common browser request, of course also needed for some web application attacks to work. Cloudflare blocks or triggers interactive challenges also based on IP address rating, but at least some bot fight mechanisms won't work.
phpbb.com itself also target of attacks recently? I just recognized that our phpBB installation script broke, because requests via wget/curl/etc are categorically blocked by its Cloudflare config now. I already sent an email to the site admins some days ago, but no answer so far.We did receive a bunch of "attacks" (a mix of scrapes and web application vulnerability seeking) on our website as well the last weeks/months, but were able to block them with very selective Cloudflare security rules, which did/do not affect common usage in any way.
One case was a weekly occurring massive traffic event, lasting for 1-2 days every week, typically between Tuesday night and Thursday morning. Hourly traffic went up from ~10 GiB to ~1 TiB, factor x100. Larger OS image downloads were done in endless cycle, the same files over and over, fully downloaded by the respective clients. Luckily we did not recognize it outside of logs, since like 95% of the traffic was served from Cloudflare cache:
- Configure Cloudflare to cache ALL download types, including archives etc, not only web assets! Raise caching duration to max, enable tiered caching. This helps a lot. In our case, only ISO files slipped through, somehow consequently never cached at all, even if flagged to be cached and downloaded multiple times. Something to check back with Cloudflare.
mdrv=<domain.name> query string component added. So after observing the pattern, and recognizing that they were all originating from the DigitalOcean hosting network, informing them about it, we could easily block it with a simple security rule at Cloudflare, filtering this particular added query parameter. Within 1.5 minutes and ~900 requests blocked by the firewall, the attempts stopped, and did not return since.Other significant attacks were originating from individual IP addresses, hence also possible to block efficiently without affecting website operation. Cloudflare DDoS protection does not kick in below a certain threshold, which may be quite high. In one case, after enabling the security rule for a single IP address, it blocked ~150,000 requests within a few hours. I mean those did not cause any problems on our server, as they did not download anything like the mdrv case above, but were more about looping through a large number code/database query injection attempts, which does no harm on a properly setup server (keep your software updated!), but the malicious pattern was obvious.
Also note that, both above cases, were, at least mostly, no CLI tool requests. They did execute our JavaScript Matomo tracker, like a common browser request, of course also needed for some web application attacks to work. Cloudflare blocks or triggers interactive challenges also based on IP address rating, but at least some bot fight mechanisms won't work.
Statistics: Posted by MichaIng — Sat Jul 05, 2025 4:46 pm