Understanding Cloudflare DDoS protection

​​ Overview

A  Distributed Denial of Service attack Open external link  (DDoS) seeks to make an online service unavailable to its end users.  For all plan types, Cloudflare provides unmetered mitigation of DDoS attacks at Layer 3, 4, and 7. Cloudflare does not bill by attack size and does not have a cap on attack size, type, or duration.

Cloudflare’s network is built to automatically monitor and mitigate large  DDoS attacks Open external link . Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets require additional manual response to DDoS attacks Open external link .

Additionally, Cloudflare helps mitigate smaller DDoS attacks:

• For zones on any plan, when the HTTP error rate is above the High (default) sensitivity level of 1,000 errors-per-second rate threshold. You can decrease the sensitivity level by configuring the HTTP DDoS Attack Protection Managed Ruleset.
• For zones on Pro, Business and Enterprise plans, Cloudflare performs an additional check for better detection accuracy: the errors-per-second rate must also be at least five times the normal origin traffic levels.

Cloudflare determines the error rate based on all HTTP errors in the 52X range (Internal Server Error) and in the 53X range, except for error 530 Open external link .

Mitigations of HTTP DDoS attacks are shown in the Security Events dashboard as HTTP DDoS events. These events are also available via Cloudflare Logs.

Currently, for DDoS mitigations based on HTTP error rate, customers cannot exclude specific HTTP error codes.

Learn more about  Famous DDoS Attacks Open external link  and  DDoS Open external link  at the Cloudflare Learning Center. You can also review DDoS case studies in the related resources section at the end of this article.

​​ The Cloudflare HTTP DDoS Attack Protection Managed Ruleset

The Cloudflare HTTP DDoS Attack Protection Managed Ruleset is a set of pre-configured rules used to match known attack patterns, known attack tools, suspicious patterns, protocol violations, requests causing large amounts of origin errors, excessive traffic hitting the origin/cache, and additional attack vectors at the application layer on the edge. The ruleset is available for Cloudflare customers on all plans and is enabled by default.

If you are expecting large spikes of legitimate traffic, consider customizing your DDoS protection settings to avoid false positives, where legitimate traffic is falsely identified as attack traffic and blocked/challenged.

Learn more about the Cloudflare HTTP DDoS Attack Protection Managed Ruleset and the available configuration settings in the Cloudflare Developers portal.

For more information on the actions applied by HTTP DDoS attack protection systems, refer to HTTP DDoS Attack Protection parameters: Action.

​​ The Cloudflare Network-layer DDoS Attack Protection Managed Ruleset

The Cloudflare Network-layer DDoS Attack Protection Managed Ruleset is a set of pre-configured rules used to match known DDoS attack vectors at levels 3 and 4 of the OSI model. The ruleset is available for Cloudflare customers on all plans and is enabled by default.

Learn more about the Cloudflare Network-layer DDoS Attack Protection Managed Ruleset and the available configuration settings in the Cloudflare Developers portal.

For more information on the actions applied by L3/4 DDoS attack protection systems, refer to Network-layer DDoS Attack Protection parameters: Action.

​​ Determine if you are under DDoS attack

Common signs that you are under DDoS attack include:

• Your site is offline or slow to respond to requests.
• There are unexpected spikes in the graph of Requests Through Cloudflare or Bandwidth in your Cloudflare Analytics app.
• There are strange requests in your origin web server logs that don’t match normal visitor behavior.

​​ Is Cloudflare attacking me?

There are two common scenarios where Cloudflare is falsely perceived to attack your site:

• Unless you  restore the original visitor IP addresses Open external link , Cloudflare IP addresses appear in your server logs for all proxied requests.
• The attacker is spoofing Cloudflare’s IPs. Cloudflare only  sends traffic to your origin web server over a few specific ports Open external link  unless you use Cloudflare Spectrum.

Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from  Cloudflare IP addresses Open external link . In contrast, if you notice connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflare’s network.

​​ Related resources

• Responding to DDoS attacks Open external link
• Best practices: DDoS preventative measures Open external link
• Using Cloudflare Logs to investigate DDoS traffic (Enterprise Only) Open external link
• What is a DDoS attack? Open external link
• How DNS Amplification Attacks Work Open external link

​​ Case Studies:

• How to Launch a 65Gbps DDoS, and How to Stop One Open external link
• Ceasefires Don’t End Cyberwars Open external link
• Reflections on reflection (attacks) Open external link
• Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS Open external link
• Memcrashed - Major amplification attacks from UDP port 11211 Open external link
• The real cause of large DDoS - IP Spoofing Open external link