[jart]

Cloudflare doesn't even really protect against DDOS. Sometimes taking your website off Cloudflare is the only way to stop a DDOS attack. That's because you can't stop something like a level 4 ddos attack by blocking the IPs in raw prerouting iptables, because if you did that then you'd be blocking Cloudflare's IPs. The only option Cloudflare really provides you is pressing a panic button that forces everyone who visits your site to view a captcha, when it's really so trivial to just run the iptables commands using a token bucket algorithm. I know because I run a website on a 2 vCPU VM that gets DDOS'd all the time. I've had to block over nine thousand malicious malicious IPs so far. I tried using Cloudflare in the past for their protection services, but it made me (1) defenseless against bad visitors and (2) made good visitors angry at me for the captchas.

[solardev]

How did the attackers get your origin ip to begin with? I thought cloudflare was supposed to shield it at the DNS level, and in theory your origin should be dropping all connections not coming from an authenticated Cloudflare proxy?

[jart]

They weren't able to talk to my origin IP, because when I was using Cloudflare, I blocked at the firewall all IPs that weren't Cloudflare. The problem is that they would DDOS my server through Cloudflare. And because the traffic was being proxied, I couldn't block the attackers without blocking Cloudflare. Unless of course I wanted to fill out a form on their website 9,000 times. It's an awesome website by the way. I love their workers and r2 products. But Cloudflare honestly isn't that good at DDOS protection. These attacks were so bad that Cloudflare would start showing NGINX error pages before my web app even went down. Cloudflare should be paying me to protect them, rather than the other way around.

[prdonahue]

Do you have a support ticket # you can email me w/details (pat at cloudflare)?

We take every reported false negative as an opportunity to improve our DDoS mitigations, and these reports are very helpful.

As of a few weeks ago, you can now report FNs/FPs for Bot Mitigation directly in the dashboard, and we'll be expanding this pattern for use with DDoS Mitigation as well.