Simple and straight, CloudFlare.com is a very cool service to speed up your site, but it also brings
a lot of feature for you to secure your site from a lot of bad traffic.
I had a website running on a single webserver (apache) which has been under attack.
A bot-network was simply requesting a „legite“ URL from the website, however the bot-network did is so fast in an huge amount
that the webserver was just not able to handle it.
CloudFlare is able to help you here, its routing all DNS traffic through their system which has sufisticated mechanisms to identify bad traffic.
What i did to stop this specific HTTP Flooding:
– Configure cloudflare for the site
– enable your firewall (iptables) to allow traffic on port 80 and 443 only to come from cloudflare
– any other traffic on these 2 ports is simply blocked
List of CloudFlare’s IP ranged: CloudFlare IPs
IPTables Rules (on CentOS):
iptables -F
iptables -X
iptables -Z
# Accept everything on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
# The following rules allow ALL incoming ssh connections on eth0 interface
iptables -A INPUT -i eth0 -p tcp --dport 22022 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22022 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 103.21.244.0/22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 103.22.200.0/22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 103.31.4.0/22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 104.16.0.0/12 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 108.162.192.0/18 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 131.0.72.0/22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 141.101.64.0/18 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 162.158.0.0/15 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 172.64.0.0/13 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 173.245.48.0/20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 188.114.96.0/20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 190.93.240.0/20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 197.234.240.0/22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 198.41.128.0/17 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -s 199.27.128.0/21 -j ACCEPT
# Drop anything else on ports 80 and 443
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j DROP
# save rules and restart iptables
service iptables save
service iptables restart
Links:
https://www.incapsula.com/ddos/attack-glossary/http-flood.html