a month ago
hey, whats the best way to handle attacks on the website? only rate-limit the app, something on cloudflare or railway provides something to handle this?
14 Replies
a month ago
This is probably just a bot trying to scrape for any vulnerabilities.
You can usually prevent this by using Cloudflare as your DNS provider, then enabling their security features such as bot fight mode and browser integrity checks.
a month ago
cloudflare is being really slow to catch ddos and bots
a month ago
I use it and activated everything, it took 800 requests in a second from the same source, it was disabled by railway by max memory usage, but cloudflare didnt stop it
a month ago
Is your service an API or website? for website, you could enable the "I'm under attack" mode from Cloudflare and that will basically show a captcha to everyone before acessing your website.
a month ago
website, is there a way to automatically switch that? my usage is being spent only on those bots, but didnt want to add this captcha
a month ago
Cloudflare does not offer an automatic option afaik
but you can always leave it enabled https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/ or filter by specific patterns (like the .zip path you're experiencing).
a month ago
You can create a custom security rule to block all requests that try to hit the *.zip route in Cloudflare domain security rules.
a month ago
a month ago
added both wordpress and zip paths to, I really appreciate the time to help me out @pepper and @ThallesComH
any plans for railway to support some kind of protection from within the dashboard?
a month ago
No plans that I know of for a built-in DDoS protection, even Railway employees recommends using Cloudflare for now.
a month ago
Also, I still would recommend activating the "I'm under attack" mode as those bots will come back at some point with a newer way of bypassing your simple firewall rule. Rule of thumb is, activate it when under attack and deactivate when the script kiddies get bored. If pattern is simple enough, then proceed with WAF rule like pepper suggested.
Also, I don't know how your website works but "I'm under attack" might cause some issues, here's a cool video by Jeff Geerling on how he handled it: . Might be useful to you.
a month ago
just finished watching the video, thanks for the recommendation, I'm adding some monitoring tools to help me understand those attacks better
a month ago
btw, this was since yesterday, I didnt even publish the website url publicly yet
a month ago
Yeah, those people are peak unemployment unfortunately <:kekw:788259314607325204>