Jump to content

Recommended Posts

Posted

Hi, is there anyone with experience on CF? I got small web server on my vps (literally nothing interesting here), i allow only IPs from cloudflare range, so it's impossible to connect directly. Now, i am under ddos, and CF seems not to filter out the requests. At this point there were total 80kk requests from ONLY 30 unique visitors. How can i configure CF to ban IPs that connect lets say more than 1k times over an hour? I spent hours digging in their documentation and tools...

Posted

Do you have paid of DDoS Protection on cloudflare or just took the free plan? Because the free plan its not protecting you from DDoS Attacks.

Posted

iptables is your friend, it can do anything you describe and literally ALL firewalls are just user interfaces for plain iptables. Just look for a guide on the net

Posted

I know i can do it with iptables. The thing is, its just a tiny tiny vps, so every connection = check in the iptables. I just wanted cloudflare to take responsibility of filtering, not to let them into my server at all.

Posted

I know i can do it with iptables. The thing is, its just a tiny tiny vps, so every connection = check in the iptables. I just wanted cloudflare to take responsibility of filtering, not to let them into my server at all.

 

None will do that for free. 

 

Keep in mind that iptables has nearly zero overhead and a very slight one in case of a few million records

Posted (edited)

iptables is your friend, it can do anything you describe and literally ALL firewalls are just user interfaces for plain iptables. Just look for a guide on the net

 

Unless you have some special hardware like Radware DefensePro

 

I know i can do it with iptables. The thing is, its just a tiny tiny vps, so every connection = check in the iptables. I just wanted cloudflare to take responsibility of filtering, not to let them into my server at all.

 

I fear you won't find any free service for it; or at least service you can count on

 

Keep in mind that iptables has nearly zero overhead and a very slight one in case of a few million records

 

Depends on how many rules do you use, whether you use conntracking (and whether you use it the right way - then it can help much because you check only SYN packets and pass through the rest) etc...

There's also lot of additional settings that might interest you like SYN cookies.

 

Szaka: If I were you, I'd start with iptables and try to find something better only if iptables won't do it

 

EDIT: In case you need to check whether IP belongs to some set, don't set rules for all those addresses. Use ipset http://ipset.netfilter.org/

Edited by eressea
Posted

Unless you have some special hardware like Radware DefensePro

 

AFAIK even hardware firewalls internally use iptables.

Except if someone writes his own OS for the firewall a case I really doubt since the iptables that comes with the linux Kernel is an extremely good and reliable base.

I may be wrong because I don't have much hands-on experience with firewalls

Posted

AFAIK even hardware firewalls internally use iptables.

Except if someone writes his own OS for the firewall a case I really doubt since the iptables that comes with the linux Kernel is an extremely good and reliable base.

I may be wrong because I don't have much hands-on experience with firewalls

 

When it's Linux-based, it will use iptables, that's fact. There are some other options that are used commonly, for example pfSense which is FreeBSD-based. Also Cisco has it's own operating system (IOS, don't confuse with iOS)

Posted

Depending on how, you can act on iptables or webserver, cloudflare, beside declaring yourself under attack you can't do shit. I wouldn't even consider those guy to protect me.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...