Recently, I had to counter a layer 7 HTTP Flood DDoS attack on my server, that is using CloudFlare. I started by setting up Fail2Ban using the Nginx logs, and Fail2Ban would ban attackers but they would still be able to hit my server. I finally understood that since they were passing through CloudFlare, I had to block them at a higher level, CloudFlare itself. Fortunately, CloudFlare offers a firewall and an API to block offenders.

Thus, the solution I found is to analyze Nginx’s logs with Fail2Ban, and trigger a ban once a certain threshold is met. We will ban the user from the server but also from accessing CloudFlare using their REST API.

Read more