My cloudflare setup for reducing malicious attacks. Also has a rule for VPN Providers & VPS Providers.
This one down below is used for embeding things inside discord. Say images/mp4 files or anything else. This also works as a bypass. If you need other things to have full access for.
This last rule is by far the most extensive and annoying long one. Being able to block most "Bad Actors" from accessing your site. It blocks Tor, Unknown Countries, And Many other things that could bypass or even monitor your website. (Refering to https://check-host.net/?lang=en
This WAF Rule also blocks any other methods meaning POST, HEAD, Or any other do NOT work. If you want to fix that just add it to the rule inside this rule to have GET, POST, PUT, ETC
(cf.client.bot) or (http.user_agent contains "Cyotek") or (http.user_agent contains "python") or (http.user_agent contains "undefined") or (http.user_agent eq "Empty user agent") or (http.user_agent contains "HTTrack") or (http.user_agent contains "CheckHost") or (http.user_agent contains "Java") or (http.user_agent contains "curl") or (http.user_agent contains "RestSharp") or (http.user_agent contains "Ruby") or (http.user_agent contains "Nmap") or (http.user_agent eq "libwww") or (not http.request.version in {"HTTP/1.0" "HTTP/1.1" "HTTP/1.2" "HTTP/2" "HTTP/3"}) or (ip.geoip.country eq "T1") or (ip.geoip.country eq "XX") or (cf.threat_score ge 2) or (not http.request.method in {"GET" "POST"} and http.request.uri.path eq "/s") or (http.user_agent contains " Uptime-Kuma") or (http.user_agent contains "sitechecker") or (http.user_agent contains "axios") or (http.referer contains "youtube.com") or (http.referer contains "yahoo.com") or (http.referer contains "https://google.com") or (http.referer contains "https://check-host.net") or (http.referer contains "fbi.com") or (http.referer contains "bing.com")
If you need help creating the rule you click on the edit expression then paste the code above into the box and press save.
This third rule is by far the best one ive done. This one contains quite a few VPN providers ASN numbers. Meaning if you wanted you can blacklist the users from your site on a VPN or throw them a Managed Challenge.
This rule is for Malicious ASN'S refering to providers that allow/have a lot of malicious activity on their networks. This can also include various hosting providers.
This rule is for Malicious ASN'S refering to providers that allow/have a lot of malicious activity on their networks. This can also include various hosting providers.
After all that is done. Make sure to go and disable Bot Fight Mode located under the Bots tab. Then order the ruleset exactly how I have mine.
or If you have Cloudflare Pro or anything above it. Go and set the first top 2 options to BLOCK & also Disable Javascript Detections
Disable the Option above otherwise you will still receive the DDoS attaack. Ive done testing and it works better without this.
The results from the image above (The ones showing the requests count) is running off of a $5 Linode VPS (Shared) and these rules above have solved the issues of L7 DDoS attacks.
Myself and this guy on this repo https://github.com/brianhama/bad-asn-list