Responding to DDoS attacks
Overview
Cloudflare’s network automatically mitigates very large DDoS attacks. Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets may require additional manual intervention steps provided in this guide.
The steps below won’t help if an attacker learned your origin IP address and is directly attacking your origin web server (bypassing Cloudflare). For details, refer to Understanding Cloudflare DDoS protection.
Step 1: Enable Under Attack Mode
To activate Under Attack Mode:
Log in to your Cloudflare account.
Select the domain currently under attack.
Toggle Under Attack Mode to On within the Quick Actions section of the Cloudflare Overview app.
- (Optional) Adjust Challenge Passage within Security > Settings.
Step 2: Enable WAF managed rules
Enable WAF managed rules.
If you have access to the new Cloudflare WAF announced in March 2021, deploy WAF Managed Rulesets instead.
Step 3: Challenge or block traffic via Security
Under Security, you can block traffic via the following methods:
- IP Access Rules - Recommended for blocking multiple IP addresses, /16 or /24 IP ranges, or Autonomous System Numbers (ASNs).
- Firewall rules - Recommended for blocking a country, any valid IP range, or more complex attack patterns.
- Zone Lockdown - Recommended to allow only trusted IP addresses or ranges to a portion of your site.
- User Agent Blocking - Recommended for blocking suspicious User-Agent headers for your entire domain.
To decide which country or IPs to block or challenge, check your log files. Contact your hosting provider to help identify:
- the attack traffic reaching your origin web server,
- the resources being accessed by the attack, and
- common characteristics of the attack (IP addresses, User Agents, countries, or ASNs, etc).
Step 4: Mitigate DDoS Ransom Campaigns
It is common for ransomers to threaten DDoS attacks, even when a customer is using Cloudflare. Here are some troubleshooting tips if you are targeted by ransomers to ensure your origin server is prepared to handle excess requests.
Mitigating DDoS Ransom Campaigns
It is very common for ransom attempts to instill a sense of urgency. Any delay decreases the chance of success for the attacker as it gives the target time to consider mitigation options. The most important thing to keep in mind is that if you suspect your site is being targeted for a ransom, contact Cloudflare support first. Do not pay the ransom.
The following table lists mitigation options for DDoS ransom campaigns:
| Action | Justification |
|---|---|
| Don’t Pay | It’s best not to pay the ransom. If paid, the ransomer knows they have found a valuable target and may periodically return to collect another payment. Ransomers tend to introduce themselves as a security researchers who have found a vulnerability. This will, understandably, increase the response rate of website owners, as it is not immediately clear that they are about to be ransomed. If at all possible, don’t respond to the ransom at all, and instead contact Cloudflare support. |
| Disable Privacy Pass Support | In several reports, attackers claim to exploit Privacy Pass. This is not so much a vulnerability in Privacy Pass, but a side effect of how Privacy Pass interacts with other Cloudflare features. Disable Privacy Pass Support if a flood of requests with Privacy Pass tokens attached is expected. |
| Enable I’m Under Attack Mode (IUAM)! | IUAM is designed to help mitigate attacks and generally increase a zone’s security, so it’s a good idea during several types of attacks. |
| Enable Rate Limiting | Some DDoS attacks are effective at low rates because the attacker targets an endpoint which they have discovered to be uncachable and computationally expensive for the origin server. If an origin server normally receives a dozen or so logins each second and suddenly receives thousands per second, this can result in degraded performance and will likely result in an increased bill for cloud service. Rate Limiting works well against simple single-origin DoS, small botnets, and it may prevent the attacks from persisting for a long period of time . It can also help drop floods to the origin, but its efficacy may be limited for very weak origin servers. |
| Configure more aggressive caching | Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets may require additional manual intervention steps provided above. |
Step 5: Contact Cloudflare Support
If you are unable to stop an attack from overloading your origin web server when utilizing the steps above, contact Cloudflare Support for assistance and provide the following details:
- Timestamp (UTC) – time range of the attack
- ZoneName/ZoneID - domain/path which is being targeted
- Attack frequency
- Steps to reproduce the issue, with actual results vs expected results
- Any additional info like site URLs, error messages, screenshots, or relevant logs from your origin web server