Respond to DDoS attacks
Cloudflare's network automatically mitigates large DDoS attacks, but these attacks can still affect your application.
All customers should perform the following steps to better secure their application:
-
Make sure all DDoS managed rulesets are set to default settings (High sensitivity level and mitigation actions) for optimal DDoS activation.
-
Deploy WAF custom rules and rate limiting rules to enforce a combined positive and negative security model. Reduce the traffic allowed to your website based on your known usage.
-
Make sure your origin is not exposed to the public Internet, meaning that access is only possible from Cloudflare IP addresses. As an extra security precaution, we recommend contacting your hosting provider and requesting new origin server IPs if they have been targeted directly in the past.
-
If you have Managed IP Lists or Bot Management, consider using these in WAF custom rules.
-
Enable caching as much as possible to reduce the strain on your origin servers, and when using Workers, avoid overwhelming your origin server with more subrequests than necessary.
To help counter attack randomization, Cloudflare recommends to update your cache settings to exclude the query string as a cache key. When the query string is excluded as a cache key, Cloudflare's cache will take in unmitigated attack requests instead of forwarding them to the origin. The cache can be a useful mechanism as part of a multilayered security posture.
In addition to the steps for all customers, Cloudflare Enterprise customers subscribed to the Advanced DDoS Protection service should consider enabling Adaptive DDoS Protection, which mitigates attacks more intelligently based on your unique traffic patterns.