What is going on? Is this some kind of widespread attack?

[thecoalman]

You would need access to the firewall, VPS or dedicated server. If you have such access there is plenty of tutorials online.

[Lady_G]

It may take a while for the DNS to propagate, in the meantime the bots will still be hitting the server directly.

To fully take advantage of CF you can firewall off ports 80 and 443 except for CF IP's. This is critical step for full DDOS protection because they can go around CF with local DNS if they know the IP of origin server. Shouldn't be necessary for run of the mill out of control bots. It's only important when it's purposeful attack.

Be sure to allow your own IP address (and those needing admin access) to your host. Otherwise, you'll be blocked from viewing your own site when things go awry. It's also possible you could get blocked by Cloudflare, so you'll need an alternate way in.

[mattash]

make sure you have it pointed to the right site IP as well. mine was off when i first started

[ATPTourFan]

Just want to add that I signed up for free CloudFlare and after adjusting SSL settings and Nameservers, turned on their bot countermeasures.

This worked and over 1.3 million requests from Alibaba AI Cloud in Singapore were blocked in the past 30 minutes.

[LePaul]

make sure you have it pointed to the right site IP as well. mine was off when i first started

The IP matches the IP listed in GoDaddy

cloudflare_Capture.PNG

GoDaddy

sharedCapture.PNG

[LePaul]

Well GoDaddy had me pause the A records and WWW cname (set to DNS only on Cloudfare for all 4)

So I am no longer getting a Cloudfare error, just - well, down til the changes take effect.

Really sucks that bots/scammers have nothing better to do than take down hobby forums.

[thecoalman]

Be sure to allow your own IP address (and those needing admin access) to your host.

I'll elaborate a little more. For true DDOS protection you also need to eliminate anything that will expose the IP. Email is the one and only thing that requires exposing the IP.

With a VPS you usually get two IP's and you can always add others. On WHM server you set up hostname using different domain that you don't have concern about DDOS. This is the "main" IP, you set up the domain you want to protect on the other IP with minimal DNS records on CF. WHM has option to send email through the domains IP or the main IP so you send through main IP and set the MX records etc for the domain you want to to protect to the main IP.

For the domain you want to protect you can now firewall just about everything with exceptions for Cloudflare on ports 80 and 443. If you need access to WHM, email etc panel etc you can just use the main IP/hostname. This of course leaves the main IP exposed however it can be null routed during an attack, you'll lose email but it's small price to pay. Ideally the email server is on another server altogether but that's more expense.

Firewalling those ports accomplishes two important things. If the attacker determines the IP it will mitigate the attack because the requests are being blocked at firewall. The second thing it does is help prevent them from finding it to begin with. If they know who the host is they can send a bot across your hosts IP range making a request for unique file on your site which WHM server will happily spit out if it's default domain on that IP.

[xinu-mike]

I have been blocking ip address ranges, but like cockroaches, you squash some and some more come crawling out.
Turning my board to member only browsing has helped a lot, but one question, when I look on who's online, guests, why do I see: "Viewing user control panel" and other things, rather than just 'index'?

Are these 'known' links that redirect them anyway?

Thank you, Mike

[thecoalman]

It just means they made a request for the page because they came across a link somewhere. That will appear even if they get the permissions denied page, login page or whatever. If you copy link for private messages in your active browser, paste it into address bar on another browser and you'll get prompt to login. If you go back to active browser your IP will be listed as guest in the UCP.

[LePaul]

Looks like the changes made went through - my board is back up (3dprintingforum.us)

I'm hoping those edits to the Cloudflare will help with future attacks - I see 115 online at the moment, 3 actual users.

[dontcoz]

Posting this for anyone with “too many redirections” error when switching to Cloudflare nameservers. Root cause: SSL/TLS Mode Misconfiguration

In Cloudflare’s SSL/TLS settings, if you choose “Flexible SSL”, Cloudflare connects to your origin server using HTTP, while serving the visitor over HTTPS. If your origin server is configured to redirect all HTTP to HTTPS, a loop occurs:

Visitor → Cloudflare (HTTPS)
Cloudflare → Origin (HTTP)
Origin → Redirects to HTTPS → back to Cloudflare → and so on...

Fix: Log in to Cloudflare → SSL/TLS → Set mode to “Full” or “Full (Strict)”

Full = Cloudflare connects to your server using HTTPS.
Full (Strict) = Same, but requires a valid SSL certificate on your server (better option).

[dontcoz]

I am at almost 1000 guests, even with CF.

This was never an issue with previous versions of phpbb. I wonder if we’ll see an improvement in 3.3.16.

Purging sessions helps but who wants to do that every day, a few times a day.

[Mick]

What are you expecting phpBB to do?

[dontcoz]

to make it more difficult for malicious bots to crawl viewtopic and viewforum. for starters it could be an extension to:
1. Track IP or session activity (e.g. number of viewtopic.php hits per minute).
2. Store request timestamps in the DB or cache.
3. Block or throttle users exceeding a threshold.
4. Optionally delay page loads or redirect them.

this is obviously just a wish-list. i am far from an expert and have no idea how much work would this be and whether that would cause some other issues.

btw CF seems to be holding the fort successfully so far. i get up to 1000 guests at times but that's a far cry from getting over 7000 on a few different forums sitting on the same shared server

[thecoalman]

to make it more difficult for malicious bots to crawl viewtopic and viewforum. for starters it could be an extension to:
1. Track IP or session activity (e.g. number of viewtopic.php hits per minute).
2. Store request timestamps in the DB or cache.
3. Block or throttle users exceeding a threshold.
4. Optionally delay page loads or redirect them.

this is obviously just a wish-list. i am far from an expert and have no idea how much work would this be and whether that would cause some other issues.

There is Apache modules purpose built for rate limiting and Cloudlfare has option for this too but it's fairly limited with the free plan.

This would likely increase server load because you are introducing additional processing and DB activity for every request whether it's a bot or not. phpBB can't stop requests so you use tools at your disposal further up the chain that can. Even .htaccess is not ideal place to be blocking activity but it may be the only option for many.