I'm hosting a basic one-page portfolio website on GitHub Pages with a custom domain, and I'm using Cloudflare for additional support. Recently, I've been overwhelmed with traffic: the site had 30k requests last month and just this week alone, it received 14k requests. After activating 'Under Attack' mode, it seemed to help at first, but then today alone, it hit nearly 10k requests in just one hour. I'm really frustrated and confused about where all this traffic is coming from and how to effectively prevent it. Any advice would be greatly appreciated!
4 Answers
Do you happen to use any frontend frameworks like React or Next.js? There were some vulnerabilities mentioned that you might want to patch up. Just checking in case that's a factor!
I'm using Svelte with a static adapter, so I'm not worried about those exploits.
Have you checked your Cloudflare logs? The Security section has analytics that could offer insights. You might want to leverage Cloudflare's Web Application Firewall to block suspicious traffic by specific ASN numbers or even entire countries if necessary. Targeting individual IPs isn't usually effective, but broader rules can help.
It looks like hundreds of requests are getting blocked daily. My site's getting traffic from all over the world, and it’s hard to pinpoint exactly what to block.
It sounds like you might be dealing with bots that use SSL certificate transparency logs to find new domains. They often target sites like yours for training their own botnets. One way they check their IPs is by sending a bunch of requests to see which ones get blocked. Essentially, your site acts as a testing ground for them.
Since your website is just a single page, I suggest bypassing 'Under Attack' mode for long-term traffic management. Instead, enable Bot Fight Mode, which allows Cloudflare to deal with annoying bots automatically. It's designed for situations like yours, where straightforward bots are causing trouble.
I've already blocked bots, even Google, since I don't want my site to show up in search results.
GitHub Pages only supports static sites, so those server-side issues wouldn't really apply here for me.