How do I use Rate Limiting to protect against DDoS attacks?

A Distributed Denial of Service (DDoS) attack is a malicious attempt consisting of a high volume of requests aimed at crashing or shutting down a web server. With Cloudflare Rate Limiting, you can create a rule to defend against this type of attack.


DDoS attacks send far many more requests than a human being could possibly generate. To protect your website, you can create Cloudflare Rate Limiting rules with thresholds that are higher than normal request rates.

You can configure Cloudflare Rate Limiting in the Firewall app under the Tools tab of the Cloudflare dashboard.

Before creating a new custom rule for mitigating DDoS attacks, consider the best practices outlined below.  To create a rate limiting rule, see Configuring Rate Limiting from the Cloudflare Dashboard.

Best practices for mitigating DDoS attacks

In planning a DDoS protection rule with Cloudflare Rate Limiting, review the recommendations outlined below.

Analyze your access logs

Cloudflare recommends that you study your access logs in order to:

  • Identify other targeted URLs: Other than the homepage, determine what other URLs are being attacked and use a rule pattern that matches the attack.
  • Calculate an appropriate rule threshold: Filter your logs to show suspicious client requests and determine the average number of requests for a given timespan (e.g., 10 minutes). Then, choose a threshold that is slightly below the malicious threat but high enough so that legitimate requests aren't blocked. 

Be careful when editing a existing rule

 Any change to a rate limiting rule will clear blocks previously triggered by that rule. That is, clients that had been blocked will be able to send new requests until they hit the rule threshold again. Because of this, exercise care when editing rules used for DDoS mitigation if an attack is ongoing.

If you need to set a lower threshold:

  1. Leave existing rules in place and ad a new rule with the lower threshold.
  2. Once this new rule is in place, wait for existing blocks from the old rule to expire (i.e. wait for the mitigation length of the old rule) and then delete the old rule.

If your existing rule is too aggressive and is blocking legitimate traffic, you should set a higher threshold.  To do this:

  1. Edit the existing rule to increase the threshold. In this case, dropping active blocks is necessary in order to ensure that legitimate traffic is allowed.
  2. Be prepared for an increase in traffic while the updated rule takes effect.
Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk