I am under DDoS attack, what do I do?

This document details how you can defend or protect your web property from a DDoS (distributed denial of service) attack quickly. If you are currently under DDoS or believe that your web property is going to be attacked, you should take the following steps for maximum protection.

Essential steps

Step 1: Sign up to Cloudflare for unmetered mitigation of DDoS
Step 2: Turn on I’m Under Attack Mode
Step 3: Turn on the WAF (Web Application Firewall)
Step 4: Set your DNS records for maximum security
Step 5: Do not rate-limit or throttle requests from Cloudflare IPs
Step 6: Block specific countries and visitors and/or implement Cloudflare Rate Limiting

Recommended steps once your site is back online

Step 7: Create a Page Rule
Step 8: Customize the challenge pages
Step 9: Restore original visitor IP addresses in your logs
Step 10: Challenge for specific ASN's in Firewall section
Step 11: Blocking unwanted IP addresses and malicious User-Agents by using URL Lockdown and User-Agent (UA) Rules 


If your site remains offline and/or you need additional security safeguards 

Step 12: Ask your hosting provider for a new server IP
Step 13: Run email on separate server/service



Step 1: Sign up to Cloudflare for unmetered mitigation of DDoS

Time: 2 minutes, Difficulty: Easy

Cloudflare’s unmetered mitigation of DDoS protection from all attacks: DNS attacks, Layer 3 / 4 attacks, and Layer 7 attacks, no matter the size, type, or duration of the attack.

All Cloudflare plans include unlimited protection against DDoS attack, without fear of being dropped. Once you sign up, advanced DDOS protection is automatic. Cloudflare does not bill by attack size and does not have an attack cap.

New to Cloudflare? Sign up online here. Note: The signup process requires a change to DNS which takes on average 15 minutes for most customers, but may take up to 3 days.

Additional resources:


Step 2: Turn on I’m Under Attack mode
Time: 1 minute, Difficulty: Easy

“I’m Under Attack" mode will help mitigate Layer 7 DDoS attacks. I’m Under Attack mode enables additional protections to stop potentially malicious HTTP traffic from being passed to your server. On their first visit, your legitimate visitors will briefly see an interstitial page while the additional checks are performed:



Example of an interstitial page that visitors to your website might see when you are under attack.

You can customize this page (see Step 7). To activate the feature, go to the overview for your domain and click on "Quick actions" and then I'm Under Attack.




Step 3: Turn on the WAF (Web Application Firewall) 
Time: 1 minute, Difficulty: Easy 

The Cloudflare Web Application Firewall (WAF) is available on all paid plans. Control of the WAF is found in the Firewall section of the Cloudflare Dashboard.


 
Beyond the Core Rule Set, Cloudflare offers many rule packages and individual rules.

More about the Cloudflare WAF


Step 4: Set your DNS records for Maximum Security
Time: 10 minutes, Difficulty: Medium

Within the Cloudflare DNS Settings, you have a choice of enabling Cloudflare's security and performance on a per-record basis. Security is ON when the cloud is orange. Security is OFF if the cloud is gray, which means that attackers will bypass Cloudflare security and reach your web server directly.

Here is how to set your DNS records for maximum protection:

  1. Enable Cloudflare security features (orange cloud) on all DNS records possible 
  2. Use your origin IP directly to perform actions like FTP or SSH and remove any DNS records for FTP/SSH (any services besides email that cannot be orange clouded e.g. protected)
  3. Delete any wildcard records, unless they are required, as they will expose your origin IP address (only Enterprise plans can protect wildcard DNS records)
  4. Remove any mail records that expose your origin server IP address


Orange cloud all records that get web traffic
Protocols like mail, ftp, ssh, and cPanel have gray clouds by default. If you enable Cloudflare for these subdomains, the protocols will no longer work. However, if you have gray clouds, then an attacker can look up your origin server IP if they know about these subdomains and can circumvent Cloudflare's DDoS security solution. To resolve, enable orange clouds for the subdomains.

Use your IP  to perform FTP, SSH, ETC
Once you enable an orange cloud on all of your DNS records, you will need to use either the direct IP  to access certain protocols like mail, ftp, ssh, and cPanel. For example, to FTP you would use ftp.example.com or ftp://yourserverIP (put in your server IP address).

Note: If there is no cloud, the record cannot be proxied, but that means it’s pointing to another service, so should not be a concern.

Note: Cloudflare provides authoritative DNS service to its direct customers; this step only applies to those records delegated to Cloudflare. If you’ve enabled Cloudflare via a hosting partner or CNAME setup, then your DNS is controlled elsewhere. If the attacker is attacking your server directly, then you may need to sign up directly through Cloudflare and restart at Step 1.



Step 5: Do not rate-limit or throttle requests from Cloudflare IPs
Time: 10 minutes, Difficulty: Medium

Cloudflare acts as a reverse proxy so all connections come from one of our IPs. It is important to ensure that your server accepts connections from Cloudflare at all times. Cloudflare IP ranges are listed at http://www.cloudflare.com/ips and that page includes links to simple text files intended for machine parsing. Cloudflare will add any new ranges to the public list at least one month before the new range is used, and will use many methods to publicize any new ranges.



Step 6: Block / Challenge specific countries and visitors and/or add Cloudflare Rate Limiting

Time: 10 minutes, Difficulty: Medium

Cloudflare’s Threat Control lets you block IP addresses and set entire countries to be challenged. Once you add an IP or country, the security rule will take effect within 2 minutes offloading the traffic from your server. To decide which country or IPs to add to the IP firewall, you will want to check your log files or follow the steps below under Advanced tips. You can find the IP firewall in the Firewall section of the Cloudflare Dashboard. Note: Block by country is Enterprise only.

Challenge Countries by navigating to Firewall > IP Firewall > Access Rules

Screen_Shot_2018-02-10_at_9.20.59_PM.png

Block IP Addresses by navigating to Firewall > IP Firewall > Access Rules

Screen_Shot_2018-02-10_at_10.38.48_AM.png

Block IP Address range by navigating to Firewall > IP Firewall> Access Rules

Screen_Shot_2018-02-10_at_10.40.49_AM.png

 

We also offer Rate Limiting that can help control the flow of requests to your server. This is very useful to make sure visitors (even the good ones) don't overload your server with requests. More can be found about Cloudflare Rate Limiting here.

Advanced tip: To get a list of visitors coming to your site from the last 48 hours by a number of requests, follow these steps. You can use the information to identify IPs you may want to manually add to your Cloudflare Threat Control Block list.



If your web property is online, proceed to Step 7 otherwise if your web property is still offline from the attack, skip to Step 10.



Step 7: Create a Page Rule
Time: 10 minutes, Difficulty: Medium

If your site is back online, you can offload more traffic to your server by creating a Page Rule. A Page Rule offers fine-grained control over Cloudflare’s CDN default cache policies. If appropriate, create a Page Rule for your essential web pages and change the caching policy to “Cache Everything”. This means that Cloudflare will cache the entire page for your visitors, saving requests to your server.

Example: Create a Page Rule with Cache Everything turned on for this domain structure: *example.com/name-of-a-specific-page The * will cover both the root and any subdomain like www.

Screen_Shot_2018-02-14_at_3.51.20_PM.png

Screen_Shot_2018-02-14_at_3.51.08_PM.png

Note: You only want to create a Page Rule once your server is back online, otherwise Cloudflare will cache an error that will be served for all future requests. You also want to make sure that there is no personalized information on the page since with Cache Everything, the HTML gets cached. If you create a Page Rule and decide you want to delete it, any changes will take effect within 2 minutes. Page Rules are applied in the order they are listed.

Advanced: If a login or admin page is cached, it may be served to a different visitor than intended. This issue can be solved by creating a higher priority page rule using a cache level bypass setting for the admin/login URL (i.e. example.com/admin/*) and leaving Cache Everything page rule on for the rest of the web page/folder.

Additional Page Rules Tutorial



Step 8: Customize the challenge pages
Time: 30 minutes, Difficulty: Medium

All paid customers can fully modify the HTML on the challenge page and then I'm Under Attack mode page. The challenge page is shown to potentially suspicious visitors who meet the Cloudflare Basic Security threshold you set. If the Cloudflare service determines that a visitor to your website might be potentially malicious, then the visitor would be served a ‘challenge’ page, requiring them to enter in a CAPTCHA. If the visitor passes the CAPTCHA test, then they would continue onto your website.

To customize your challenge page, go to the Customization section of the Cloudflare interface.

The security works whether the page is customized or not, but it’s useful to make that page reflect your brand and site language.



Step 9: See original visitor IP addresses in your logs
Time: 15 minutes, Difficulty: Medium

Cloudflare operates as a reverse proxy, so requests to your server(s) are made from our global network. The requests will, therefore, come from Cloudflare IP addresses, but Cloudflare always includes the original visitor IP address in the request, as an HTTP header. Cloudflare offers several tools, such as mod_cloudflare for Apache web servers, for pulling the original visitor IP address from the header. See the full list here: https://support.cloudflare.com/entries/22055137



If your site is still offline or you want to add additional safeguards


Step 10: Challenge for specific ASN's in Firewall Section
Time: 15 minutes, Difficulty: Medium

You can also challenge/block ASN's when there are excessive requests from specific ASNs to the site.

Screen_Shot_2018-03-07_at_3.15.21_PM.png

 

Step 11: Blocking IP addresses and malicious User-Agents by using URL Lockdown and User-Agent (UA) Rules                                   Time: 15 minutes, Difficulty: High

URL Lockdown rules specify a list of one or more IP addresses or networks that are the only IPs allowed to access a domain, subdomain, or URL. Multiple destinations can be specified in a single rule, and both IPv4 and IPv6 source addresses can be used. IP CIDR ranges can also be used. Any IP not specified in the rule will be denied access to the page. More details can be found here URL Lockdown

User Agent rules match against the User-Agent headers sent by the browser or application accessing your site. UA rules are applied against the entire domain.More details can be found here User-Agent(UA)Rules

 

Step 12: Ask your hosting provider for a new server IP
Time: 15 minutes, Difficulty: High

If you have done all of the above, and your web server continues to get a heavy load, then the attacker has your origin server IP. You will need to contact your hosting provider and ask them to give you a new origin IP and then update it in your Cloudflare DNS settings page.

You can tell your web host that: “I am under a DDOS attack. I now have a DDOS protection service called Cloudflare set up. However, the attacker has my origin server IP, therefore, bypassing my DDOS protection. Please give me a new origin server IP so that the attacker can no longer attack my server directly.”

Once you have the new server IP address, make sure you update the IP in your Cloudflare DNS Settings page.

With Cloudflare enabled for all web records, Cloudflare helps to mask the server IP address(es) so the attacker can not get the new IP address.



Step 13: Run email on separate server/service
Time: 60 minutes, Difficulty: High

If you are running your mail on the same server as your website, then the attacker can always find your origin server IP. To close this possible security gap, you can use an email service on a separate server than your website, whether through your hosting provider or an outside service (e.g., Google Apps).

For Mac users: You can run this command in Terminal to see what IP is being reported with your MX records: dig +short $(dig mx +short WEBSITE)

For example, if I was concerned about example.com, I would enter: dig +short $(dig mx +short example.com) The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different than the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.

For PC users: You can run this command in command prompt to see what IP is being reported with your MX records: nslookup -q=mx WEBSITE

For example, if I was concerned about example.com, I would enter: nslookup -q=mx example.com

The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different than the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.



We hope the above information helps you defend yourself against a DDoS attack. If you are still having difficulties and would like to receive 24/7 phone support, you can upgrade to our Enterprise plan and speak with a Technical Support Engineer.




Other resources:

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk