Almost 9 billion requests, that's over 100k rps... The attack is not stopping, however the server seems stable thanks to DDoS protection. We've set up DDoS guard now, we were previously using Cloudflare.
Discussion
Do not use Cloudflare. Cloudflare is a Trojan horse to control the entire internet. Realistically, the World Elite have accomplished their goal of controlling the whole internet.
The attack is still ongoing, peaking at >15 billion requests in 4 days, but intensity has dropped. Thanks to server optimizations, cache improvements, and anti-DDoS measures (without Cloudflare), the site is now usable, though downtime may still occur.
The DDoS attack is now targeting our Tor site. The hidden service is currently offline as we work to mitigate the attack and see if we can keep it up. Please use the clearnet site in the meantime.
The only official onion address is in our footer (kycnotmezdifta...). Stay safe.
I think you guys need to need to do this:
Create Page Rules in your Cloudflare dashboard:
Go to Rules > Page Rules
Add a rule for your API endpoints:
URL pattern: yourdomain.com/api/*
Set "Security Level" to "Essentially Off"
Toggle "Browser Integrity Check" to Off
Add another rule for protected pages:
URL pattern: yourdomain.com/page/*
Set "Security Level" to "High" or "I'm Under Attack"
Enable "Browser Integrity Check"
Configure Firewall Rules (optional for more control):
Go to Security > WAF
Create a rule that bypasses security for API endpoints
Rule name: "Allow API Access"
Expression: (http.request.uri.path contains "/api/")
Action: "Bypass"
Set default protection level:
Go to Overview > Security
Set your default Security Level to Medium or High
Adjust Bot Fight Mode settings in Security > Bots if needed
This configuration will allow direct access to your API endpoints while forcing browser verification