Is This a DDOS Attack?

Starting around September 3 this site has started receiving suspicious amounts of traffic. I wouldn’t even have known about it had I not noticed that my server’s disk usage has increased. I have to thank Cloudflare for that. If not for their service my server would have been on fire and my provider might have suspended me. I feel guilty for being a long-time free user. 😅

All the traffic was directed at a single page— /asteroid/ —I’m thinking that someone using my free WordPress theme is under attack and the bots are just following the link pointing to my site. After all, why would anyone target me specifically? I’m nobody.

Anyway, thanks to Cloudflare I didn’t see any increase on my CPU load, instead all I saw was my log files increasing to a couple of gigabytes since all the bots’ requests were being recorded.

DDOS Attack Graph
From the usual of 40K requests per day to a peak of 2.5M

Stopping Bots with Cloudflare

The attacks were mainly coming from IPs originating in India and the United States. I didn’t want my log files to balloon even further so I initially used Cloudflare’s IP Access Rules. What I managed to do was to make all the IPs originating in India be subjected to a Javascript Challenge where whey are tested by Cloudflare before being allowed to proceed to my website.

That worked as expected and blocked the bots using Indian IPs but I found that the Firewall Rules feature was even better. I deleted the IP Access Rule I set up and added 1 Firewall Rule that adds a Javascript test (Managed Challenge) to any IP visiting my site’s targeted pages. This stopped those malicious bots not just the ones from India.

If the bots’ details are accurate then they show that they are mostly mobile android devices coming from these networks:

  • AS132203 TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue.
  • AS45102 ALIBABA-CN-NET Alibaba US Technology Co., Ltd.
  • AS16509 AMAZON-02

Looking at Cloudflare’s Analytics page, I can see that the attacks are still ongoing as of writing this post (Sep 10) but thanks to Cloudflare’s DDOS protection and Firewall Rules my own server remains unaffected. This post is not sponsored by Cloudflare btw 😜 but I’d like to take this opportunity to thank them for the free lunch they provide to this poor boy.