Attack Scale

From 3 to 6 a.m. today, we encountered a wave of DDoS attacks, which is the highest record so far and worth recording:

Number of attack requests:

Attack bandwidth:

Number of attackers:

Attacker source:

Attack Types

This attack was a direct attack on the path "/wp-admin/admin-ajax.php", which really hurt me because the comment function of WordPress relies on ajax calls. I can't host a query on this path (otherwise I can't comment). The previous attack on my blog admin-ajax.php was mainly an indirect attack through TranslatePress to initiate ajax calls (see article:Home Data Center Series: Cracking the WordPress AJAX Protection Problem: Using Cloudflare Tunnel to "divide" normal website access and attack traffic), but I have already blocked that path. This time it was a direct attack, and most of it was blocked by Cloudflare:

However, there are still many attacks that do not reach the global rate limit and enter the intranet. These requests are filtered by the intranet WAF:

However, some requests still reached the origin server. The reason was that my tolerance for admin-ajax.php access was too high:

It seems that we can’t leave these openings anymore.

The "attack request count" and "attack bandwidth" mentioned earlier in the article both involve uncached "requests" or "bandwidth", which raises a question: why is there only 18.29k uncached requests in Cloudflare's statistics, but there are nearly 2 million requests on my intranet WAF? I think there are three possible reasons:

• Cloudflare excludes requests that are blocked (e.g. triggering WAF rules, rate limiting, DDoS protection, etc.) from "uncached requests".
• Attack tools may try the same resource (such as admin-ajax.php) multiple times, resulting in duplicate connections. For example, an attacker sends a request, receives a 429 or other restricted response, and the tool automatically retries. The origin server will record multiple times, but Cloudflare only counts the initial request.

This kind of details is not important.

Another 1: The statistics that can be viewed with a Cloudflare Free account are too few, which is quite annoying.

Another 2: The functions of the free intranet WAF are still too few. I previously removed the load balancing after the WAF because I felt it was a waste of resources, but now it seems that it is still necessary to add it.

Another 3: This time there was a problem with my blog, forcing me to spend 1 second restarting the docker of wordpress. I am an honest person and will never deny it, but it really doesn’t require much technical skills.