Respond to DDoS attacks
Cloudflare’s network automatically mitigates large, but these attacks can still affect your application.
All customers should perform the following steps to better secure their application:
- Make sure all are set to default settings (High sensitivity level and mitigation actions) for optimal DDoS activation.
- Deploy and to enforce a combined positive and negative security model. Reduce the traffic allowed to your website based on your known usage.
- Make sure your origin is not exposed to the public Internet, meaning that access is only possible from . As an extra security precaution, we recommend contacting your hosting provider and requesting new origin server IPs if they have been targeted directly in the past.
- If you have or , consider using these in WAF custom rules.
- Enable as much as possible to reduce the strain on your origin servers, and when using , avoid overwhelming your origin server with more subrequests than necessary.
In addition to the steps for all customers, Cloudflare Enterprise customers subscribed to the Advanced DDoS Protection service should consider enabling , which mitigates attacks more intelligently based on your unique traffic patterns.