Best Practices: DDoS preventative measures

Learn best practices to secure your Cloudflare-enabled site from DDoS attacks.


Overview

After joining Cloudflare, ensure your site is fully prepared for possible DDoS attacks via the recommendations below.

Proxy your DNS records to Cloudflare

Attackers attempt to identify your origin IP address to directly attack your origin web server without Cloudflare’s protections. Hide your origin IP address from direct attack by proxying traffic to Cloudflare.

Set your DNS records for maximum protection via the following steps:

  1. Enable the Cloudflare proxy (orange-cloud) on all possible DNS records.

  2. Remove DNS records used for FTP or SSH and instead use your origin IP to directly perform FTP or SSH requests. Alternatively, proxy FTP and SSH via Cloudflare Spectrum.

  3. Grey-cloud A, AAAA, or CNAME records corresponding to your mail server and ensure your mail server uses a different IP range and address than your origin web servers.

  4. Remove wildcard records within Free, Pro, or Business domains because they expose your origin IP address. Cloudflare only protects wildcard records for domains on Enterprise plans.

Do not limit or throttle requests from Cloudflare IPs

Once you proxy traffic to Cloudflare, connections to your origin web server come from Cloudflare’s IP addresses. Therefore, it is important that your origin web server whitelists Cloudflare IPs and explicitly blocks traffic not from Cloudflare or your trusted partner, vendor, or application IP addresses.

Restore original visitor IPs in your origin server logs

To see the real IPs behind an attack, restore the original visitor IPs in your origin server logs. Otherwise, all traffic lists Cloudflare’s IPs in your logs. Cloudflare always includes the original visitor IP address in the request, as an HTTP header. Inform your hosting provider that you use a reverse proxy and that all traffic will come from Cloudflare’s IPs when looking at current connections.

Change server IP addresses after moving site to Cloudflare

Cloudflare hides your origin server IP addresses for traffic you proxy to Cloudflare. As an extra security precaution, we recommend contacting your hosting provider and requesting new origin server IPs.

This task may incur a charge, so discuss with your hosting provider based on the risk of attack to your site.

Utilize Rate Limiting to prevent brute force and Layer 7 DDoS attacks

To thwart attacks disguised as normal HTTP requests, Rate Limiting allows website administrators to specify fine-grained thresholds on the load they expect their web server to receive. With one simple click, setup basic rate limiting to protect your login pages from brute force attacks.

Cloudflare Free, Pro, and Business plans include 10,000 free requests per month. Refer to our guide on Cloudflare Rate Limiting for further details.


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk