1. Network
  2. Security

Combating DDoS with free Cloudflare account

From time to time our customers face DDoS attacks and one of the mitigation tools we use is Cloudflare. We have already described basic anti-DDoS settings in our previous article, but since then Cloudflare modified functionality of free accounts and it’s time to re-visit this topic.

Initial configuration

There are few things to keep in mind before you start your fight against the DDoS attack. First, we need to prepare the ground.

DNS Leak

Make sure you DNS are not leaking your source server IP and all records are in Proxy mode. If your server IP is known to the attackers, they will be able to attack it directly by-passing Cloudflare.

enable proxy cloudflare
Proxied record marked green

I have to say in advance that if your emails are hosted on the same server, Cloudflare reveals the IP in order for emails to work. So either your email records should be turned off or ideally emails should be hosted separately.

If prior to attack, Cloudflare proxying was disabled, most likely the attacker already knows the IP and it’s better to ask your provider for an IP change before you enable the DDoS protection.

Combating the DDoS

There are several powerful tools available in free account which can stop almost any attack or at least discourage the attacker. Let’s revise them step by step. All the settings are located in the Security tab.

security settings cloudflare
Security settings in Cloudflare

1. Enable the DDoS protection

Navigate to “Security” > “Settings” and select “I’m under attack!” in the Security Level settings. See the image below.

enable ddos protection cloudflare
Enable “I’m Under Attack”

In the Challenge Passage you can define how long the visitor can view the website without additional captcha requests after successful initial Captcha verification.

2. DDoS Ruleset configuration

Navigate to DDoS settings if you want to create a custom override of blocking and challenging rules.

DDoS ruleset override

Here Cloudflare offers a managed pre-configured list of rules to filter malicious traffic. It is possible to override the settings of these rules if you want to create more or less aggressive traffic filtering.

ddos layer 7 ruleset
Layer7 rules configuration

Here you have several different options: – Ruleset action, choose what you want to do with requests matching the rule. Block, challenge, captcha or default. – Ruleset sensitivity, choose how aggressive will the rule be towards the suspicious requests.

Finally, you have Browse rules where you can review all traffic filtering rules and modify each and every of them. Most of them already pre-configured for the optimal performance.

3. Bot Fight Mode

The next feature is quite powerful. Most of the DDOS attacks are run from the botnets, from millions of unaware owners of infected computers. Cloudflare provides DNS for millions of websites and hundreds of them face DDoS attacks daily, thus it has ability to identify the IPs used in the botnets. Navigate to Bots and enable Bot Fight Mode, like it’s shown on the image below.

bot fight mode enable cloudflare
Enable Bot Fight Mode

4. WAF (Web Application Firewall)

We finally got to the most comprehensive tool available in Free account – WAF or Web Application Firewall. WAF consists of 4 tools: Firewall rules, Rate limiting rules, Managed rules and Tools. Managed rules are not available in free account. But the most powerful tool against attacks has recently become available for free. It’s Rate Limiting. But let’s go one by one.

web application firewall
Summary of WAF

Firewall rules. In free account we can create up to 5 firewall rules. What are these rules? This can be rule blocking requests from a certain countries, continents, requests to specific URLs, requests based on specific user agent and many many more. The most common is blocking specific countries, known botnets and more advanced – user-agents.

Firewall rules in WAF

Rate limiting rules. We have 1 rule available for free but it’s more than enough in the most cases. Rate limiting allows us to filter multiple requests sent from the same IP. Usually attackers send dozens or even hundreds of requests from same IP and when we identify these IPs and block, the attack degrades a lot.

See below for the example. We have set to block every IP with 5+ requests per 10 seconds. These are quite harsh settings. If the attack is not very strong, you can experiment with this value to avoid false positive blocks.

rate limiting cloudflare
Rate limiting configuration

Tools. Here you can set IP access rules. The rules can be applied either to one website or to whole Cloudflare account. This is just a handy tool to quickly block offending IPs.

5. Events

Events is a powerful tool for analyzing the traffic and detect similarities of the attacking requests.

Example of request in Events

Sometime attackers target certain URL of your website and you can spot and filter it. Sometimes attackers use same User agent and you can create a custom firewall rule for it. Or you can see majority of malicious requests from a few ASNs (network) and block them.

Combating an attack requires patience and experience. Many of the tools described here can be not very useful on its own, but if used together it adds up. DDoS mitigation is a methodical process, when you step by step identify the vector of attack and little by little close the door for the attackers. And we hope this beginners guides to combating the attack with free Cloudflare account will help you in this uneasy task.