I am under DDoS attack, what do I do?

This document details how you can defend or protect your web property from a DDoS (distributed denial of service) attack quickly. If you are currently under DDoS or believe that your web property is going to be attacked, you should take the following steps for maximum protection.

Essential steps
Expected time: 30 minutes

Step 1: Upgrade to CloudFlare Business or CloudFlare Enterprise
Step 2: Turn on I’m Under Attack Mode
Step 3: Turn on the WAF (Web Application Firewall)
Step 4: Set your DNS records for maximum security
Step 5: Do not rate-limit or throttle requests from CloudFlare IPs
Step 6: Block specific countries and visitors


Recommended steps once your site is back online
Expected time: 1 hour

Step 7: Create a Page Rule
Step 8: Customize the challenge pages
Step 9: See original visitor IP addresses in your logs


If your site is still offline / Additional security safeguards
Expected time: 1.5 hours

Step 10: Ask your hosting provider for a new server IP
Step 11: Run email on separate server/service



Step 1: SignUp/Upgrade to CloudFlare Business or Enterprise

Time: 2 minutes, Difficulty: Easy

The CloudFlare Business and Enterprise plans offer advanced DDOS protection from all attacks: DNS attacks, Layer 3 / 4 attacks, and Layer 7 attacks. Once you are on the Business or Enterprise plan, advanced DDOS protection is automatic. CloudFlare does not bill by attack size and does not have an attack cap.

If you are a current CloudFlare customer, upgrade online to the Business plan right from your My Websites control panel and go to Step 2.

New to CloudFlare? Sign up online here. Note: The signup process requires a change to DNS which takes on average 15 minutes for most customers, but may take up to 3 days.

Additional resources:
Difference between the Business and Enterprise plan
How large of a DDoS attack can CloudFlare handle?
More details on types of DDoS attacks


Step 2: Turn on I’m Under Attack mode
Time: 1 minute, Difficulty: Easy

“I’m Under Attack" mode will help mitigate Layer 7 DDoS attacks. I’m Under Attack mode enables additional protections to stop potentially malicious HTTP traffic from being passed to your server. On their first visit, your legitimate visitors will briefly see an interstitial page while the additional checks are performed:



Example of interstitial page that visitors to your website might see when you are under attack.

You can customize this page (see Step 7). To activate the feature, go to the Security Settings for your domain: Settings > CloudFlare Settings > Security Settings > Basic protection level Additional details on I'm Under Attack mode



Step 3: Turn on the WAF (Web Application Firewall) 
Time: 1 minute, Difficulty: Easy 

The CloudFlare Web Application Firewall (WAF) is available to Pro, Business and Enterprise customers. Control of the WAF is found at the bottom of CloudFlare Settings > Security Settings.

Link to the WAF is at bottom of CloudFlare Security Settings page.


 
Beyond the Core Rule Set, CloudFlare offers many rule packages and individual rules.

More about the CloudFlare WAF


Step 4: Set your DNS records for Maximum Security
Time: 10 minutes, Difficulty: Medium

Within the CloudFlare DNS Settings, you have a choice of enabling CloudFlare's security and performance on a per-record basis. Security is ON when the cloud is orange. Security is OFF if the cloud is gray, which means that the attacker can bypass CloudFlare's security and attack your web server directly.

Here is how to set your DNS records for maximum protection:

  1. Enable the CloudFlare security (orange cloud) on the web records you use - including FTP, SSH 
  2. Use your origin IP to perform actions like FTP, SSH 






Orange cloud all records that get web traffic
Protocols like mail, ftp, ssh and cPanel have gray clouds by default. If you enable CloudFlare for these subdomains, the protocols will no longer work. However, if you have gray clouds, then an attacker can look up your origin server IP if they know about these subdomains and can circumvent CloudFlare's DDoS security solution. To resolve, enable orange clouds for the subdomains.

Use your IP  to perform FTP, SSH, ETC
Once you enable an orange cloud on all of your DNS records, you will need to use either the direct IP  to access certain protocols like mail, ftp, ssh and cPanel. For example, to FTP you would use ftp.yourdomain.com or ftp://yourserverIP (put in your server IP address).

Note: If there is no cloud, the record cannot be proxied, but that means it’s pointing to another service, so should not be a concern.

Note: CloudFlare provides authoritative DNS service to its direct customers; this step only applies for those records delegated to CloudFlare. If you’ve enabled CloudFlare via a hosting partner or CNAME setup, then your DNS is controlled elsewhere. If the attacker is attacking your server directly, then you may need to sign up directly through CloudFlare and restart at Step 1.



Step 5: Do not rate-limit or throttle requests from CloudFlare IPs
Time: 10 minutes, Difficulty: Medium

CloudFlare acts as a reverse proxy so all connections come from one of our IPs. It is important to ensure that your server accepts connections from CloudFlare at all times. CloudFlare IP ranges are listed at http://www.cloudflare.com/ips and that page includes links to simple text files intended for machine parsing. CloudFlare will add any new ranges to the public list at least one month before the new range is used, and will use many methods to publicize any new ranges.



Step 6: Block specific countries and visitors

Time: 10 minutes, Difficulty: Medium

CloudFlare’s Threat Control lets you block IP addresses and set entire countries to be challenged. Once you add an IP or country, the security rule will take effect within 2 minutes offloading the traffic to your server. To decide which country or IPs to add to your Threat Control, you will want to check your log files or follow the steps below under Advanced tip. You can find the Threat Control panel next to the domain on the My Websites page.




Advanced tip: To get a list of visitors coming to your site from the last 48 hours by number of requests, follow these steps. You can use the information to identify IPs you may want to manually add to your CloudFlare Threat Control Block list.



If your web property is online, proceed to Step 7. If your web property is still offline from the attack, skip to Step 10.



Step 7: Create a Page Rule
Time: 10 minutes, Difficulty: Medium

If your site is back online, you can offload more traffic to your server by creating a Page Rule. A Page Rule offers fine-grained control over CloudFlare’s CDN default cache policies. If appropriate, create a Page Rule for your essential web pages and change the caching policy to “Cache Everything”. This means that CloudFlare will cache the entire page for your visitors, saving requests to your server.

Example: Create a Page Rule with Cache Everything turned on for this domain structure: *example.com/name-of-a-specific-page The * will cover both the root and any subdomain like www.

Note: You only want to create a Page Rule once your server is back online, otherwise CloudFlare will cache an error that will be served for all future requests. You also want to make sure that there is no personalized information on the page since with Cache Everything, the HTML gets cached. If you create a Page Rule and decide you want to delete it, any changes will take effect within 2 minutes. Page Rules are applied in the order they are listed.

Advanced: If a login or admin page is cached, it may be served to a different visitor than intended. This issue can be mitigated by disabling CloudFlare’s performance cache settings for the admin/login URL (i.e. example.com/admin/*) and leaving Cache Everything on for the rest of the web page/folder.

Additional Page Rules Tutorial



Step 8: Customize the challenge pages
Time: 30 minutes, Difficulty: Medium

All paid customers can fully modify the HTML on the challenge page and the I'm Under Attack mode page. The challenge page is shown to potentially suspicious visitors who meet the CloudFlare Basic Security threshold you set. If the CloudFlare service determines that a visitor to your website might be potentially malicious, then the visitor would be served a ‘challenge’ page, requiring them to enter in a CAPTCHA. If the visitor passes the CAPTCHA test, then they would continue onto your website.

To customize your challenge page, go to: Settings > Custom Errors.




The security works whether the page is customized or not, but it’s useful to make that page reflect your brand and site language.



Step 9: See original visitor IP addresses in your logs
Time: 15 minutes, Difficulty: Medium

CloudFlare operates as a reverse proxy, so requests to your server(s) are made from our global network. The requests will therefore come from CloudFlare IP addresses, but CloudFlare always includes the original visitor IP address in the request, as an HTTP header. CloudFlare offers several tools, such as mod_cloudflare for Apache webservers, for pulling the original visitor IP address from the header. See the full list here: https://support.cloudflare.com/entries/22055137



If your site is still offline or want to take additional security safeguards



Step 10: Ask your hosting provider for a new server IP
Time: 15 minutes, Difficulty: High

If you have done all of the above, and your web server continues to get heavy load, then the attacker has your origin server IP. You will need to contact your hosting provider and ask them to give you a new origin IP and then update it in your CloudFlare DNS settings page.

You can tell your web host that: “I am under a DDOS attack. I now have a DDOS protection service called CloudFlare set up. However, the attacker has my origin server IP therefore bypassing my DDOS protection. Please give me a new origin server IP so that the attacker can no longer attack my server directly.”

Once you have the new server IP address, make sure you update the IP in your CloudFlare DNS Settings page.

With CloudFlare enabled for all web records, CloudFlare helps to mask the server IP address(es) so the attacker can not get the new IP address.



Step 11: Run email on separate server/service
Time: 60 minutes, Difficulty: High

If you are running your mail on the same server as your website, then the attacker can always find your origin server IP. To close this possible security gap, you can use an email service on a separate server than your website, whether through your hosting provider or an outside service (e.g., Google Apps).

For Mac users: You can run this command in Terminal to see what IP is being reported with your MX records: dig +short $(dig mx +short WEBSITE)

For example, if I was concerned about example.com, I would enter: dig +short $(dig mx +short example.com) The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different that the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.

For PC users: You can run this command in command prompt to see what IP is being reported with your MX records: nslookup -q=mx WEBSITE

For example, if I was concerned about example.com, I would enter: nslookup -q=mx example.com

The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different that the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.



We hope the above information helps you defend yourself against a DDoS attack. If you are still having difficulties and would like to receive 24/7 phone support, you can upgrade to our Enterprise plan and speak with a Technical Support Engineer.




Other resources:
Can CloudFlare protect me against DDoS attacks?
What does “I’m Under Attack Mode” do?
CloudFlare advanced DDoS protection
How to report a DDoS attack to Law Enforcement

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.