Responding to DDoS attacks

Protect your website from a Distributed Denial of Service (DDoS) attack. Learn the basic countermeasures to stop an ongoing attack.


Overview

Before contacting Cloudflare Support, enable Under Attack Mode (Step 1 below) to help distinguish attack traffic characteristics in logs accessible by Cloudflare Support.

Cloudflare's network automatically mitigates very large DDoS attacks. Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets may require additional manual intervention steps provided in this guide.

The steps below won’t help if an attacker learned your origin IP address and is directly attacking your origin web server (bypassing Cloudflare). For details, see our guide on understanding Cloudflare DDoS protection.

Step 1: Enable Under Attack Mode

To activate Under Attack Mode:

  1. Log in to your Cloudflare account.
  2. Select the domain currently under attack.
  3. Toggle Under Attack Mode to On within the Quick Actions section of the Cloudflare Overview app.
  4. [Optional] Adjust Challenge Passage within the Settings tab of the Firewall app.
Under Attack Mode is also configurable for specific URLs via the Cloudflare Page Rules app by setting Security Level to I’m Under Attack.
Legitimate traffic from mobile apps or from clients that don’t support JavaScript and cookies cannot access your website while Under Attack Mode is enabled. For this reason, Under Attack Mode is not recommended for your API traffic.  Instead, configure Rate Limiting or at least set the Security Level to High under the Settings tab of the Firewall app.

Step 2: Enable the Web Application Firewall (WAF)

The WAF is only available for domains on paid plans.

Enable the Cloudflare WAF via the following procedure:

  1. Log in to your Cloudflare account.
  2. Select the domain that requires additional protection.
  3. Toggle Web Application Firewall to On within the Managed Rules tab of the Firewall app.

Step 3: Challenge or block traffic via the Firewall app

The Cloudflare Firewall app facilitates blocking of traffic via the following methods:

IP Access Rules - Recommended for blocking multiple IP addresses, /16 or /24 IP ranges, or Autonomous System Numbers (ASNs). 
Firewall Rules - Recommended for blocking a country, any valid IP range, or more complex attack patterns.
Zone Lockdown - Recommended to allow only trusted IP addresses or ranges to a portion of your site.
User Agent Blocking - Recommended for blocking suspicious User-Agent headers for your entire domain.

Firewall Rules have limits but are more flexible and allow matching upon a wider variety of fields and expressions than IP Access Rules.
Firewall updates take effect within 2 minutes.

To decide which country or IPs to block or challenge, check your log files. Contact your hosting provider to help identify:

  • the attack traffic reaching your origin web server,
  • the resources being accessed by the attack, and
  • common characteristics of the attack (IP addresses, User Agents, countries, or ASNs, etc).
Cloudflare also offers Rate Limiting to help control the flow of requests to your server.  Rate Limiting is billed based on usage and is independent of plan type.

Step 4: Contact Cloudflare Support

If you are unable to stop an attack from overloading your origin web server when utilizing the steps above, contact Cloudflare Support for assistance.


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk