Introduction#
Generally, my website uses domestic and overseas routes for resolution. The default route is domestic CDN, while overseas routes are resolved to Cloudflare through CNAME. You can refer to my article Using CNAME to Access CloudFlare for CNAME resolution to Cloudflare.
This way, it can block many attacks from overseas (assuming the source IP is not exposed). However, recently I just learned about "piercing the shield" or something like that, which seems to be breaking through CF's shield and then attacking? It's really disgusting.
The most effective DDoS defense mode of Cloudflare is the "Under Attack mode", which is what we are going to talk about today, the 5-second shield.
After enabling it, when accessing the website, it will first redirect to Cloudflare's detection page, using 5 seconds to verify if it's a real user accessing, which can effectively alleviate the pressure brought by attacks.
If it is always enabled, it will affect the access, so today I will share an automatic switch script.
Open-source sh script#
The open-source sh script Cloudflare-Block can automatically enable CloudFlare's 5-second shield for defense after being attacked on a Linux server based on the system load.
API Preparation#
Register/login to Cloudflare and check the
API
zoneid Zone ID
Click on the domain name under CLOUDFLARE in the access, and you can see it by scrolling down on the right side.
Save the above two APIs, the script will need them.
Script Usage#
Just copy the code below, save it as Cloudflare.sh file, and add it to crontab to execute the script regularly. (Of course, you can also use the BaoTa timed task)
#!/bin/bash
# $1 = 1min, $2 = 5min, $3 = 15min, choose which load value to use as the threshold here.
loadavg=$(awk '{printf "%f", $1}' < /proc/loadavg)
# When the Linux system load (load average) reaches 10, the 5-second shield is enabled. You can modify this value according to the situation.
maxload=10
# Configure Cloudflare's API
# Your CloudFlare Global API Key (https://dash.cloudflare.com/profile)
api_key=
# Your CloudFlare account email
email=
# Your CloudFlare account's **Zone ID** (https://dash.cloudflare.com/_zone-id_/domain.com)
zone_id=
# The default security level of CloudFlare when there is no attack
default_security_level=high
# Whether to write debug messages to the debug.log file in the script directory
debug=0
basedir=$(dirname "$0")
attacked_file=$basedir/attacked
[ "$debug" -eq 1 ] && exec > "${logfile:-$basedir/debug.log}"
# If the file "attacked" does not exist, create it
if [ ! -e "$attacked_file" ]; then
echo 0 > "$attacked_file"
fi
was_under_attack=$(cat "$attacked_file")
under_attack=$(echo "$loadavg > $maxload" | bc)
if [[ "$1" != [01] ]]; then
echo "Incorrect usage! Please pass either 0 or 1 as an argument"
exit 1
fi
if [ $debug -eq 1 ]; then
echo "Mode: $1; was under attack: $was_under_attack; now under attack: $under_attack"
echo "Load average: $loadavg"
fi
if [ "$1" -eq 0 ] && [ "$was_under_attack" -eq 0 ] && [ "$under_attack" -eq 1 ]; then
# attack just started and we want to enable under-attack mode
# Activate protection
[ "$debug" -eq 1 ] && echo "Activating under-attack mode!"
echo 1 > "$attacked_file"
api_set_mode under_attack
elif [ "$1" -eq 1 ] && [ "$was_under_attack" -eq 1 ] && [ "$under_attack" -eq 0 ]; then
# attack just finished (and up to 20 minutes passed since)
# and we want to disable under-attack mode
# Disable Protection
[ "$debug" -eq 1 ] && echo "Leaving under-attack mode!"
echo 0 > "$attacked_file"
api_set_mode "$default_security_level"
fi
exit 0
Add a scheduled task#
# Add a scheduled task
crontab -e
# If the 5-second shield protection is not enabled, check every 1 minute
*/1 * * * * /root/DDoS/Cloudflare.sh 0
# Check if the 5-second shield protection has been enabled every 20 minutes
*/20 * * * * /root/DDoS/Cloudflare.sh 1
# Reload crontab
service crond reload
Summary#
After enabling the automatic 5-second shield, it can be automatically enabled when attacked, without the need to manually enable it, which is very convenient. A must-have for lazy people!