It could be a competitor or just someone who just included your domain in a wider attack for who knows what reason and not really directly targeting you.

I have experienced attacks that have gone on for over a month along with a few negative SEO attacks.

Most/All of the attacks don't seem targeted as they hammer away at the same attack vector which my site successful blocks. You would think someone who is attacking your site specifically would change up the attack at some point when it is not successful.

What did you do to counter the negative SEO attack? Disavow links/domains? I think Google is at a point where they just ignore these sites. I didn't notice any negative influence at all.

Is this something that all sites experience once they get above a certain level of 'domain rank'

Pretty much. I don't disavow any of them, in fact I don't pay them any mind at all. The search engines will just have to deal with them.

As noted, most DDoS attacks seem to be random. It's possible your use of CloudFlare is the only thing that made you prone to this attack.

Unless they keep trying different ways to attack your site (in which case, as JesterMagic notes, it may be targeted), I would just block & forget.

Considering how most attacks are random, I'm actually a little surprised that I never have to deal with them. Possibly this is because the script kiddies like looking for easy targets, like WordPress sites (a couple hits/sec to the log-in page can be enough to bring them down), and most of my sites are custom.

I use to get all worried about the negative SEO attacks. I would try to disavow the links but more would keep coming every day (hundreds). In the end I just stopped as it was such a time waster. As robzilla said I just let the search engines deal with them. Most of the domains linking back are bad neighborhoods so I would hope Google realizes that it is not me trying to gain the system but an actual attack.

I get targeted by WordPress attacks all the time (this site is not WordPress) and all the server will do is return 404 errors for these non existent files yet some of those scripts keep assuming my site is a WordPress site.

I ended up creating a ban script that throws misbehaving ips onto a temp ban list for bad behavior (hitting the site to often every X mins, to many 404 errors every X mins, etc...). I white list some IPs for search engines but those can change. so I just have to be careful not to automatically block the good bots but the bad. I also incorporated the Bad IP list from the Stop Forum Spam website (the full list gets downloaded weekly). For these IPs I just automatically block them from the site.

Automation means they'll just keep at it until they review the results.
One reason for the attack could be to test vulnerability with the objective of making the server/site a zombie site serving more DDoS attacks and malware. There's every reason to go for sites that have a high profile.

Someone decided to DDoS my website /.../ I see around 30K POST requests/day on my website.

30K post requests/day, I wouldn't cal it a DDoS...

By the way, what's the content of the headers of these requests? Are they empty? Do they carry "fields" values, like to simulate a real posting at your site?

Internet is bigger than the World, so, there will always be someone, somewhere who hates you, and could try to hurt you or your business ... the opposite is true too, the World is big enough, there will always be some to love you , somewhere....

30K post requests/day, I wouldn't cal it a DDoS...

It could have that effect, though, depending of course on the endpoint and the server. On overcrowded servers, a single POST to a WordPress endpoint could take several seconds to complete, and then 30K/day could be problematic.

But it's true that DDoS attacks are usually a little heavier than that. This could also be a bruteforce attack, so it's a good idea to check the endpoint and POST data.

I would say it is a DDoS attack. It is distributed (100s of ip's at least), and it's trying to do a denial of service attack by requesting a heavy page that requires a lot of db calls. 30K should be enough to bring down a regular Wordpress site on a small VPS without caching and such. But yeah, it's easy to filter. I can't see the headers because cloudflare is blocking the requests. I'm guessing they are empty posts just for the cache busting.

Your post request should be protected to prevent request that aren't originating from your domain. This simplest is by setting a cookie on the get request for the page from where the request is initiated. Then when your server receives a post request check for the cookie before proceeding, return a 403 or other appropriate status code if the cookie isn't there. You can then rate limit the form submission of the form that initiates the post to prevent it from being submitted too frequently. Rate limiting can be achieved by your own script or Cloudflare offers a service or you can implement a Captcha use which ever method fits your needs.

Hi Nick, I know the concept of CSRF tokens which you basically describe. But these post requests are made on URLs that don't even expect/require post data. It's only done to 'bust' the cache, because caching systems like Cloudflare can not cache POST requests. That's also why it's so easy to counter this attack. I can just block all POST requests to the URL in question. I would be more worried if the attack got more sophisticated (e.g. many different pages) but I preemptively created rules for that too this weekend. All in all my security is now in much better shape, so I should thank these attackers perhaps.

>these post requests are made on URLs that don't even expect/require post data

You should return 405 Method Not Allowed.

Any modern web server would be able to serve a huge number of requests per day with that response.

Yeah it would be nice if WordPress would not accept these requests by default. I would never accept random POST requests in my custom build sites.

>I would say it is a DDoS attack.

What was the construction of the Post requests? (reason I ask, is this could be a known vulnerability probe on wordpress and not a ddos)

Perhaps. The attack is going on until this day. I don't know th exact content of the posts because cloudflare blocks them and I'd like to keep it that way. The attack is still coming from one single Russian ASN so it's super easy to block.

I don't agree with the characterization of these attacks as being by "script kiddies" because hacking attacks today are in the domain of organized crime. The fact that it's coming from a Russian ASN is more evidence of that fact.

As for the links, those have probably always been happening, that happens to all successful sites. Probably because spammers have an inept knowledge of SEO and they think that linking to legit sites will help their pages rank, something dumb like that.

I had a similar hack attack that lasted for over a year, even though they were easily blocked. Then one day it stopped.