|
|
|
|
|
|
by nijave
493 days ago
|
|
|
We had rate limiting with Istio/Envoy but Envoy was using 4-8x normal memory processing that much traffic and crashing. The attacker was using residential proxies and making about 8 requests before cycling to a new IP. Challenges work much better since they use cookies or other metadata to establish a client is trusted then let requests pass. This stops bad clients at the first request but you need something more sophisticated than a webserver with basic rate limiting. |
|
|
So how is Cloudflare supposed to distinguish legitimate new visitors from new attack IPs if you can't?
Because it matches my experience as a cloudflare user perfectly if the answer were "they can't"