What I wish I knew about Cloudflare two years ago
One cold winter day, I wake up. As I check Slack, I panick. Someone is DDOSing us… The site returns a blank “Too many requests” and users are complaining. Everyone’s panicking.
In the heat of the moment, we recieve a this charming, helpful message from some dude on telegram, detailing a vulnerability on the platform. He demands a ransom in the form of ETH, to liberate the site.
The vulnerability part is totally bullshit. But the DDOS is real though.
As the amazing dev-ops engineer I am, I shout out in the imaginary war room of our slack channel: “I’VE GOT THIS!”. I lift my sleeves, and do the only thing I know to do in this situation…
I flip the “I’m under attack button” on Cloudflare.
For those who don’t know, the “I’m under attack button” is a button you flip because you don’t have a clue of what else you could do in the situation.
Over the years, we went through this same thing probably 10 times. The thing is: it does work. But there are some problems with it:
- We don’t want to keep “Under attack” on forever, because it degrades user experience.
- It breaks external api endpoints
- My hands are tired of turning the button on and off
The “under attack mode” is like closing down all the schools in the country because there is heavy snowfall in New York.
A better way
Peter had a great idea to spend 30 seconds and send a message Cloudflare. This changed everything, because someone told us about a few knobs to turn to configure the system.
We learnt a lot. It took us maybe one hour to learn how to configure Cloudflare way better. 1 hour some random day in october could have eliminated so much pain before.
I’ll not go in detail: these are the learnings:
- Pay 200$/m for premium. This will give you access to a better bot management and a bunch of other features
- Browse through the tabs under “Security”
- Deploy the Cloudflare managed rules and OWASP rules in your Managed rules dashboard
- Create a rate limiting rule where you
Block
an IP that requests more than 350 resources pr minute to hostcontains
layer3.xyz. Block for 1 hour.
- Block `Definitely Automated' instead of giving a managed challenge in your Bot's dashboard
- Create a DDoS override rule where you block globally instead of using the default setting.
- Create a custom firewall rule where you block all countries/continents where you do not have customers from and create another custom firewall rule where you give a managed challenge to the most threatening countries. Can be seen in your analytics dashboard.
Conclusion
Loads of people probably already know this. And your config might be way more custom. But hopefully this list serves as a good starting point for startups who want to focus more on building than on firefighting.
I’m still no expert. In 2 years, what will I know that I wish I knew now? If you have suggestions, let me know, please!