Learn how Cloudflare protects against DDoS attacks and how to identify if your website is under attack.

Overview

A Distributed Denial of Service attack (DDoS) seeks to make an online service unavailable to its end users.  For all plan types, Cloudflare provides unmetered mitigation of DDoS attacks at Layer 3, 4, and 7. Cloudflare does not bill by attack size and does not have a cap on attack size, type, or duration.

Cloudflare's network is built to automatically monitor and mitigate large DDoS attacks. Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets require additional manual response to DDoS attack. Additionally, Cloudflare helps mitigate smaller DDoS attacks for domains on any plan if:

• The HTTP 5XX error rate is above 150 errors per second, and 
• The current error rate is at least five times the average error rate from the past 7 days. 

All HTTP errors in the 5XX range (Internal Server Error) are considered when factoring in the error rate except for errors 500, 503 and 530. Errors 530 are exempted as they are returned along with a 1xxx error. Error 530 does not represent origin failing due to HTTP flood, this is typically a DNS misconfiguration.

Mitigations of HTTP floods are shown in the Firewall analytics dashboard as HTTP DDoS events. These events are also available via Cloudflare Logs.

Currently, for DDoS mitigations based on HTTP error rate, customers cannot: 

• disable the mitigations,
• change mitigation thresholds, or 
• exclude specific HTTP error codes.

Learn more about Famous DDoS Attacks and DDoS at the Cloudflare Learning Center. You can also review DDoS case studies in the related resources section at the end of this article.

Determine if you are under DDoS attack

Common signs that you are under DDoS attack include:

• Your site is offline or slow to respond to requests.
• There are unexpected spikes in the graph of Requests Through Cloudflare or Bandwidth in your Cloudflare Analytics app.
• There are strange requests in your origin web server logs that don’t match normal visitor behavior.

Is Cloudflare attacking me?

There are two common scenarios where Cloudflare is falsely perceived to attack your site:

• Unless you restore the original visitor IP addresses, Cloudflare IP addresses appear in your server logs for all proxied requests.
• The attacker is spoofing Cloudflare's IPs. Cloudflare only sends traffic to your origin web server over a few specific ports unless you use Cloudflare Spectrum.

Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from Cloudflare IP addresses. In contrast, if you see connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflare’s network.

Related resources

• Responding to DDoS attacks
• Best Practices: DDoS preventative measures
• Using Cloudflare Logs to investigate DDoS traffic (Enterprise Only)
• What is a DDoS attack?
• How DNS Amplification Attacks Work

Case Studies:

• How to Launch a 65Gbps DDoS, and How to Stop One
• Ceasefires Don't End Cyberwars
• Reflections on reflection (attacks)
• Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS
• Memcrashed - Major amplification attacks from UDP port 11211
• The real cause of large DDoS - IP Spoofing