DDoS Mitigation Added due to Attack 2025-07-15

[Matt K]

I thought I'd mention this in a separate thread so I can track this issue specifically. As I mentioned elsewhere, we experienced a major DDoS attack after I finished the upgrades and have been forced to implement some severe CloudFlare limitations. I understand these may be annoying to deal with. Please post any issues you have with CloudFlare here. You may see a Cloudflare pop-up on EVERY PAGE LOAD, which I do not want to do more than the next day or so.

However, if people are not noticing significant problems or better that it solves them, I would be interested in hearing that too here. Thanks!

[mgladdish]

I just had the one cloud flare “verify you are a human” on mobile. Subsequent page loads have all been fine.

[BGuttman]

I just had the one cloud flare “verify you are a human” on mobile. Subsequent page loads have all been fine.

Same for me, but I'm on a laptop.

[hyperbolica]

much better here

[Matt K]

Has anyone been able to connect via mobile? It took mine a few attempts to verify I was human but eventually it let me through, but I haven't had any problems on my desktop using firefox.

[EriKon]

Has anyone been able to connect via mobile? It took mine a few attempts to verify I was human but eventually it let me through, but I haven't had any problems on my desktop using firefox.

Was fine over here. Took 5 seconds to verify but no problems.

Edit: Okay, there was another Cloudflare confirmation once I tried to post.

[RoscoTrombone]

Just literally came on, verification took a few seconds and no issues changing pages or logging in so far.

The trombone chat name at the top is missing though. There's a coffee cup then phpBB written?

Edit - no Cloud Flare posting this.

[atopper333]

I’ve logged in twice on mobile. Only got the verification the first time I logged in.

[AndrewMeronek]

I just had Cloudflare prevent me posting a reply and the "human check" dropped the text of my reply and dumped me into the "full editor post a reply" screen. So yeah, there potentially is a problem.

[pfrancis]

Has anyone been able to connect via mobile? It took mine a few attempts to verify I was human but eventually it let me through, but I haven't had any problems on my desktop using firefox.

First time no prob

[tbdana]

I've had it pop up once when I first logged on, and then twice when I tried to open threads.

[mrdeacon]

I’ve logged in twice on mobile. Only got the verification the first time I logged in.

Same! Zero issues on my iPhone.

[slidesix]

Matt, the cloud flare mitigations are EXCELLENT and working BEAUTIFULLY AS INTENDED. When testing a variety of forum actions—except for posting messages or long messages—i seem to get prompted about every 2 hours with a captcha from cloudflare. For me this is great. As I can actually access the forum. So thank you. I don’t even mind. Keep up the great work. F’n thank you from the bottom of my heart. From my end: DDoS mitigated. You ROCK.

/Aaron T

[slidesix]

I did get the cloudflare prompt and redirect to full editor after I posted. You know what? I don’t care as this is better than what we had before. My $0.02.

[slidesix]

I did get the cloudflare prompt and redirect to full editor after I posted. You know what? I don’t care as this is better than what we had before. My $0.02.

[mgladdish]

Huh. Tried to access on mobile about 3 hours ago and I was stuck on the cloudflare "are you human" prompt. It sat just spinning for several minutes, eventually gave me a check box, and then sat spinning again. It never completed and I couldn't get in. All seems fine now though.

[Matt K]

Woweee yeah so that was 100% the problem. It's now been in place for almost a full day and these are the stats on that rule I posted:

Screenshot 2025-07-16 at 9.19.50 AM.png

What I've done is put a rule in place that says EVERY IP address needs to do a challenge occasionally, except an IP I'm planning on using for a status.trombonechat.com page, and I'll need to be unchallenged to occasionally ping the site. As a result, we're seeing 0.41% of all total requests have been successfully answered (22k out of 547,800)

What is not pictured are some other blocks I had in place that I don't want to screenshot, because my conclusion is that this is actually NOT LLM traffic that I had suspected, but appears to be a wholly malicious operation - if I were a betting individual. (I've got separate rules for a variety of known quantities and those rules have a FRACTION of the traffic.). To what ends the nefarious purposes are, I have no idea. Its possible that they are LLM training that are not going through the proper channels, someone who has a beef with us, script kiddies, etc.

Fortunately, it seems that simply forcing everyone to prove they are a human is not super onerous given this feedback (or it's completely blocking the people who would report otherwise?). I too had a problem with iOS yesterday, but it seems that once you let it spin for a while (took 3 tries and ~5 minutes for me at first, and now it goes through no problem but please keep me updated on if it becomes impossible to get in.