DDoS attacks often consist of high volumes of requests, and malicious clients will often send far many more requests than a normal user. As such, rate limiting rules with thresholds well over normal request rates can be used to defend against this type of attack.
Rate Limiting is an add-on service (available in all user plans) that when enabled, appears in the Firewall app of the Cloudflare dashboard. For subscription information, visit Cloudflare Pricing.
To create a rule to protect against DDoS attacks, navigate to Firewall > Create a Rate Limiting Rule. Then:
This rule applies to the site root/homepage only. While this is a fairly common attack target, you should review your access logs to determine which URLs are being attacked and use a rule pattern that matches the attack.
To determine an appropriate threshold, review your access logs to find several clients that appear to be sending malicious requests. Filter your logs to show requests from those clients only, and determine the average number of requests each client made during the monitoring period (10 minutes in the example above). Choose a threshold slightly below the malicious request rate, but high enough that legitimate clients are not blocked.
Special considerations when editing DDoS mitigation rules
Any change to a Rate Limiting rule will clear existing blocks triggered by that rule: clients that were previously blocked will be able to send new requests until they hit the rule threshold again. Because of this, care should be taken when editing rules used for DDoS mitigation if an attack is ongoing, as editing a rule that blocked malicious clients in the past will remove those blocks.
If you need to set a lower threshold, we recommend leaving existing rules in place and adding a new rule with the lower threshold. Once the new rule is in place, wait for existing blocks from the old rule to expire (i.e. wait for the mitigation length of the old rule) and then delete the old rule.
If you need to set a higher threshold (e.g. because your existing rule is too aggressive and is blocking legitimate traffic), editing the existing rule and dropping active blocks is necessary, as a new rule with a lower threshold will not trigger until the existing rule is removed. You should be prepared for an increase in traffic while the updated rule takes effect.