Configures Cloudflare DDoS protection using managed rulesets, rate limiting, WAF rules, Bot management, and origin hardening to mitigate L3/4 volumetric/protocol and L7 attacks.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Cloudflare 通过其遍布全球 300 多个数据中心、477+ Tbps 容量的网络提供多层 DDoS(分布式拒绝服务)防护。该平台防护 L3/4 容量型攻击(SYN 洪水、UDP 放大、DNS 反射)、协议攻击(Ping of Death、Smurf)和 L7 应用层攻击(HTTP 洪水、Slowloris、缓存破坏)。Cloudflare 的自主检测系统使用流量分析、机器学习和自适应规则集,在约 3 秒内识别并缓解攻击。本技能涵盖配置 Cloudflare DDoS 防护栈,包括托管规则集、WAF 规则、速率限制、Bot 管理和源站服务器加固。
Configures Cloudflare DDoS protection with managed rulesets, rate limiting, WAF rules, Bot Management, and origin protection to mitigate volumetric, protocol, and application-layer attacks.
Configures Cloudflare DDoS protection with managed rulesets, rate limiting, WAF rules, Bot Management, and origin shielding against volumetric, protocol, and L7 attacks.
Deploys and tunes WAF rules on AWS WAF, Azure WAF, and Cloudflare to protect cloud apps from OWASP Top 10 attacks. Includes managed rule sets, custom rules, rate limiting, bot management, and log analysis to reduce false positives.
Share bugs, ideas, or general feedback.
Cloudflare 通过其遍布全球 300 多个数据中心、477+ Tbps 容量的网络提供多层 DDoS(分布式拒绝服务)防护。该平台防护 L3/4 容量型攻击(SYN 洪水、UDP 放大、DNS 反射)、协议攻击(Ping of Death、Smurf)和 L7 应用层攻击(HTTP 洪水、Slowloris、缓存破坏)。Cloudflare 的自主检测系统使用流量分析、机器学习和自适应规则集,在约 3 秒内识别并缓解攻击。本技能涵盖配置 Cloudflare DDoS 防护栈,包括托管规则集、WAF 规则、速率限制、Bot 管理和源站服务器加固。
| 层 | 攻击类型 | 示例 | Cloudflare 防护 |
|---|---|---|---|
| L3/4 | 容量型 | SYN 洪水、UDP 洪水、DNS 放大 | 网络层 DDoS 托管规则 |
| L3/4 | 协议型 | Ping of Death、Smurf、IP 分片 | 高级 TCP 防护 |
| L7 | 应用层 | HTTP 洪水、Slowloris、缓存破坏 | HTTP DDoS 托管规则、WAF、速率限制 |
| DNS | DNS 专项 | DNS 查询洪水、NXDOMAIN 攻击 | 高级 DNS 防护 |
互联网流量
│
▼
┌─────────────────────────┐
│ Cloudflare 边缘节点(PoP)│
│ ┌───────────────────┐ │
│ │ L3/4 DDoS 托管规则 │ │ ← 容量型/协议型缓解
│ └───────────────────┘ │
│ ┌───────────────────┐ │
│ │ IP 访问规则 │ │ ← 国家/ASN/IP 封锁
│ └───────────────────┘ │
│ ┌───────────────────┐ │
│ │ Bot 管理 │ │ ← Bot 评分、JS 验证
│ └───────────────────┘ │
│ ┌───────────────────┐ │
│ │ WAF 托管规则 │ │ ← OWASP、Cloudflare、自定义
│ └───────────────────┘ │
│ ┌───────────────────┐ │
│ │ 速率限制 │ │ ← 请求速率执行
│ └───────────────────┘ │
│ ┌───────────────────┐ │
│ │ HTTP DDoS 托管规则 │ │ ← L7 洪水检测
│ └───────────────────┘ │
└─────────────────────────┘
│
▼
源站服务器
# 通过 API 添加域名
curl -X POST "https://api.cloudflare.com/client/v4/zones" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"name": "example.com",
"type": "full",
"plan": {"id": "enterprise"}
}'
# 更新 DNS 记录(启用代理以获得 DDoS 防护)
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "example.com",
"content": "203.0.113.50",
"proxied": true,
"ttl": 1
}'
HTTP DDoS 攻击防护覆盖:
# 列出 HTTP DDoS 托管规则集
curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/ddos_l7/entrypoint" \
-H "Authorization: Bearer $CF_API_TOKEN"
# 覆盖 HTTP DDoS 灵敏度和动作
curl -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/ddos_l7/entrypoint" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"rules": [{
"action": "execute",
"action_parameters": {
"id": "4d21379b4f9f4bb088e0729962c8b3cf",
"overrides": {
"rules": [{
"id": "fdfdac75430c4c47a422bdc024aab531",
"sensitivity_level": "medium",
"action": "block"
}],
"sensitivity_level": "high"
}
},
"expression": "true"
}]
}'
网络层 DDoS 防护覆盖:
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/ddos_l4/entrypoint" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"rules": [{
"action": "execute",
"action_parameters": {
"id": "3b64149bfa6e4220bbbc2bd6db7c867e",
"overrides": {
"sensitivity_level": "high"
}
},
"expression": "true"
}]
}'
# 为登录端点创建速率限制规则
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_ratelimit/entrypoint" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"rules": [
{
"description": "Rate limit login attempts",
"expression": "(http.request.uri.path eq \"/api/login\")",
"action": "block",
"ratelimit": {
"characteristics": ["cf.colo.id", "ip.src"],
"period": 60,
"requests_per_period": 10,
"mitigation_timeout": 600
}
},
{
"description": "Rate limit API endpoints",
"expression": "(http.request.uri.path matches \"^/api/\")",
"action": "managed_challenge",
"ratelimit": {
"characteristics": ["cf.colo.id", "ip.src"],
"period": 60,
"requests_per_period": 100,
"mitigation_timeout": 300
}
},
{
"description": "Global rate limit per IP",
"expression": "true",
"action": "managed_challenge",
"ratelimit": {
"characteristics": ["ip.src"],
"period": 10,
"requests_per_period": 50,
"mitigation_timeout": 60
}
}
]
}'
# 阻止已知攻击模式
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_custom/entrypoint" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"rules": [
{
"description": "Block requests from known bad ASNs",
"expression": "(ip.geoip.asnum in {12345 67890})",
"action": "block"
},
{
"description": "Challenge requests without User-Agent",
"expression": "(not http.user_agent ne \"\")",
"action": "managed_challenge"
},
{
"description": "Block high-risk countries for admin paths",
"expression": "(http.request.uri.path contains \"/admin\" and not ip.geoip.country in {\"US\" \"CA\" \"GB\"})",
"action": "block"
},
{
"description": "Block oversized request bodies",
"expression": "(http.request.body.size gt 10000000)",
"action": "block"
}
]
}'
确保源站服务器只接受来自 Cloudflare 的流量:
# 获取 Cloudflare IP 范围
curl https://api.cloudflare.com/client/v4/ips
# 配置源站服务器防火墙(iptables)
# 只允许 Cloudflare IP
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
iptables -A INPUT -p tcp --dport 443 -s $ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s $ip -j ACCEPT
done
# 丢弃所有其他 HTTP/HTTPS 流量
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP
# 启用认证源站拉取(双向 TLS)
# 下载 Cloudflare 源站 CA 证书
curl -o /etc/ssl/cloudflare-origin-pull.pem \
https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem
# Nginx 认证源站拉取配置
# ssl_client_certificate /etc/ssl/cloudflare-origin-pull.pem;
# ssl_verify_client on;
#!/usr/bin/env python3
"""根据流量异常自动启用 Cloudflare 攻击模式。"""
import requests
import time
import sys
CF_API_TOKEN = "your-api-token"
ZONE_ID = "your-zone-id"
HEADERS = {
"Authorization": f"Bearer {CF_API_TOKEN}",
"Content-Type": "application/json",
}
BASE_URL = f"https://api.cloudflare.com/client/v4/zones/{ZONE_ID}"
NORMAL_RPS_THRESHOLD = 5000 # 每秒请求数阈值
CHECK_INTERVAL = 30 # 检查间隔秒数
def get_current_security_level():
"""获取当前安全级别设置。"""
resp = requests.get(
f"{BASE_URL}/settings/security_level",
headers=HEADERS
)
return resp.json()["result"]["value"]
def set_security_level(level: str):
"""设置安全级别(off/essentially_off/low/medium/high/under_attack)。"""
resp = requests.patch(
f"{BASE_URL}/settings/security_level",
headers=HEADERS,
json={"value": level}
)
result = resp.json()
if result["success"]:
print(f"[+] 安全级别已设置为:{level}")
else:
print(f"[-] 设置安全级别失败:{result['errors']}")
return result["success"]
def get_traffic_analytics():
"""从 Cloudflare 分析获取近期流量数据。"""
query = """
query {
viewer {
zones(filter: {zoneTag: "%s"}) {
httpRequests1mGroups(limit: 1, orderBy: [datetime_DESC]) {
sum {
requests
threats
}
dimensions {
datetime
}
}
}
}
}
""" % ZONE_ID
resp = requests.post(
"https://api.cloudflare.com/client/v4/graphql",
headers=HEADERS,
json={"query": query}
)
return resp.json()
def monitor_and_respond():
"""监控流量并自动启用攻击模式。"""
current_level = get_current_security_level()
print(f"[*] 当前安全级别:{current_level}")
print(f"[*] 监控流量(阈值:{NORMAL_RPS_THRESHOLD} RPS)...")
attack_mode_active = False
consecutive_normal = 0
while True:
try:
analytics = get_traffic_analytics()
zones = analytics.get("data", {}).get("viewer", {}).get("zones", [])
if zones and zones[0].get("httpRequests1mGroups"):
data = zones[0]["httpRequests1mGroups"][0]["sum"]
rps = data["requests"] / 60
threats = data["threats"]
print(f"[*] 当前 RPS:{rps:.0f},威胁数:{threats}")
if rps > NORMAL_RPS_THRESHOLD and not attack_mode_active:
print(f"[!] 检测到流量峰值:{rps:.0f} RPS")
set_security_level("under_attack")
attack_mode_active = True
consecutive_normal = 0
elif rps <= NORMAL_RPS_THRESHOLD and attack_mode_active:
consecutive_normal += 1
if consecutive_normal >= 5:
print("[+] 流量已恢复正常,禁用攻击模式")
set_security_level("high")
attack_mode_active = False
consecutive_normal = 0
except Exception as e:
print(f"[-] 错误:{e}")
time.sleep(CHECK_INTERVAL)
if __name__ == "__main__":
monitor_and_respond()
# 为 DDoS 攻击创建通知策略
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/alerting/v3/policies" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"name": "DDoS Attack Alert",
"alert_type": "dos_attack_l7",
"enabled": true,
"mechanisms": {
"email": [{"id": "soc@example.com"}],
"webhooks": [{"id": "webhook-id"}]
},
"filters": {
"zones": ["'$ZONE_ID'"]
}
}'