Understanding Cloudflare Under Attack mode (advanced DDOS protection)
Overview
Cloudflare Under Attack Mode performs additional security checks to help mitigate Layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked. It is designed to be used as one of the last resorts when a zone is under attacked (and will temporarily pause access to your site and impact your site analytics).
When enabled, visitors receive an interstitial page.
The “Checking your browser before accessing…” challenge determines whether to block or allow a visitor within 5 seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in Challenge Passage, in Security > Settings.
Depending on your needs, there are a couple of possible configurations:
- Enable I’m Under Attack mode outright for the entire site:
- Log in to your Cloudflare account.
- Select the domain to protect.
- Navigate to Security > Settings.
- Under Security Level, select I’m Under Attack!.
- Enable I’m Under Attack mode for specific web pages or sections of your site using a page rule.
- Conversely, use a page rule to disable I’m Under Attack mode (by setting Security Level to Off) for areas of your site broken by I’m Under Attack mode or known to not be attacked.
- Enable I’m Under Attack mode (or other challenges) for specific ASNs (hosts/ISPs that own IP addresses — for example, Amazon has an ASN, Cloudflare has an ASN, Comcast has an ASN, etc.; this is useful if a majority of attack traffic comes from a specific host), countries, or IP ranges using IP Access Rules.