Skip to content

Commit

Permalink
Tweak - Cloudflare L7 DDoS (#475)
Browse files Browse the repository at this point in the history 
* Tweaked the Cloudflare L7 DDoS detection to filter out blocks

* Update cloudflare_rules/cloudflare_firewall_ddos.yml
  • Loading branch information
@wey-chiang
wey-chiang authored Aug 8, 2022
1 parent 6e6b7e5 commit 22541ed
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 1 deletion.
2 changes: 1 addition & 1 deletion cloudflare_rules/cloudflare_firewall_ddos.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
def rule(event):
if event.get("Source") != "l7ddos":
if event.get("Source") != "l7ddos" or event.get("Action") == "block":
return False
return True

Expand Down
31 changes: 31 additions & 0 deletions cloudflare_rules/cloudflare_firewall_ddos.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,37 @@ Tests:
-
Name: Traffic Marked as L7DDoS
ExpectedResult: true
Log:
{
"Action": "skip",
"ClientASN": 55836,
"ClientASNDescription": "RELIANCEJIO-IN Reliance Jio Infocomm Limited",
"ClientCountry": "in",
"ClientIP": "127.0.0.1",
"ClientRequestHost": "example.com",
"ClientRequestMethod": "GET",
"ClientRequestPath": "/main.php",
"ClientRequestProtocol": "HTTP/1.1",
"ClientRequestQuery": "",
"ClientRequestScheme": "http",
"ClientRequestUserAgent": "Fuzz Faster U Fool v1.3.1-dev",
"Datetime": "2022-05-10 06:36:57",
"EdgeColoCode": "DEL",
"EdgeResponseStatus": 403,
"Kind": "firewall",
"MatchIndex": 0,
"Metadata": {
"dos-source": "dosd-edge"
},
"OriginResponseStatus": 0,
"OriginatorRayID": "00",
"RayID": "7090a9da88e333d8",
"RuleID": "ed651449c4a54f4b99c6e3bf863134d5",
"Source": "l7ddos",
}
-
Name: Traffic Marked as L7DDoS but blocked
ExpectedResult: false
Log:
{
"Action": "block",
Expand Down

0 comments on commit 22541ed

Please sign in to comment.