I love exploring how systems break. Sometimes, the best way to learn is when everything is on fire.
Earlier this week, my server started throwing CPU load averages of 10.00+. The live18-odoo instance was entirely consumed, and legitimate traffic was failing. I started digging in and realized I was getting hit by a Layer 7 Application DoS attack. A botnet was aggressively spamming heavy dynamic endpoints like /blog/tag/* and /web/signup.
The Agentic Experiment
Normally, I'd jump into the terminal, grep the logs, and try to block IPs using ufw. But since I've been heavily exploring AI agents lately, I decided to see if I could use this incident as a learning opportunity.
I gave an agent SSH access and asked it to help me analyze the vector.
We quickly hit a wall. Because my server sits behind a Cloudflare reverse proxy, the attacking traffic was disguised under Cloudflare edge IPs. Looking at the raw access logs, the agent pointed out the problem:
# The firewall sees Cloudflare (162.158.x.x), but the real attacker is in the header
"GET /blog/tag/ai HTTP/1.1" 200 - "162.158.165.12" "X-Forwarded-For: 45.33.xx.xx"
I learned a hard lesson right there: dropping traffic at the server's firewall level via iptables or ufw is useless when the attacker is hidden behind a CDN. You end up accidentally blocking Cloudflare itself.
The Architectural Pivot: If you can't block it at the host, you have to block it at the edge. True Agentic Orchestration means giving the AI the API keys to manipulate external cloud infrastructure, not just local bash terminals.
Pivoting to the Edge
I collaborated with the agent to orchestrate the Cloudflare API. Instead of blocking individual IPs, we triggered Cloudflare's "I'm Under Attack Mode", which forces a 5-second JS challenge on all visitors. Here is the exact API call we orchestrated through the agent:
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/security_level" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value":"under_attack"}'
It worked. The botnet crawlers couldn't pass the JS challenge, and they were dropped at the edge. A minute later, I watched my server's CPU load drop from 99% down to idle.
I'm still learning the depths of agentic security, but this experiment proved to me that when we combine our curiosity with dynamic AI tools, we can solve complex infrastructure puzzles in entirely new ways.
💡 Tips for Agentic Incident Response
If you ever find yourself leaning on an agent during a server crisis, keep these tips in mind:
- Understand Your Topology: The agent won't magically know that you are behind a CDN like Cloudflare. You have to provide that context.
- Don't Panic, Pivot: If a host-level block (like UFW) doesn't work, ask the agent to help you brainstorm alternative vectors. The edge network is usually the right answer for application-layer attacks.
- Use WAF Rules Generously: The JS challenge buys you time. Don't be afraid to turn it on while you investigate the logs more deeply.
See the Full Picture
A Systems Architect must understand the entire packet lifecycle—from the edge CDN down to the Docker container.
🔗 Related Resources
- Internal Link: To see how this attack led me to discover a massive vulnerability in how Docker handles port bindings, read my post on Orchestrating the Network Layer.
- External Link: If you aren't familiar with how Cloudflare handles Layer 7 attacks, their documentation on Understanding Under Attack Mode is a fantastic read.
Learning Under Fire: Investigating a Layer 7 DDoS Attack