• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Cloudflare as anti-ddos...

Kainzo

Active member
#1
It seems that if I have cloudflare enabled it changes all ip's incoming from all users to the cloudflare ip.

Is there a way around this at all? It seems like it may be best used as an anti-ddos switch rather than a permanent solution.

I saw the CDN tutorial but it didn't really have what I wanted because I'd greatly prefer this to be a permanent thing.
 

Kent

Active member
#5
You should enable it at the webserver level if possible, and disable access to the site from any IP but a CloudFlare IP, otherwise someone could fake their IP from that script.
 

Floren

Well-known member
#6
Just some notes, I had a "real" DDoS attack on one of my client servers and CloudFlare did jack. Kiddie scripts don't count. The only way I was able to stop the attack was with NetDefender, which costs an arm...
 

whyweprotest

Well-known member
#7
Just some notes, I had a "real" DDoS attack on one of my client servers and CloudFlare did jack. Kiddie scripts don't count. The only way I was able to stop the attack was with NetDefender, which costs an arm...
Used to get ddos several times a week, including attacks of more than 3m p/s. Since switching to cloudflare we haven't had any ddos related down time at all. Are you talking about an application level denial of service? If so, look into the business account at 200/mo.
 

Floren

Well-known member
#8
Used to get ddos several times a week, including attacks of more than 3m p/s.
The attacks I was dealing with were scored in NetDefender at 10GB/sec. Somehow they resolved the Cloudflare IP's don't ask me how as in iptables I only had their IP's allowed. Obviously they are pro's and it was over my knowledge. So I let it be handled by NetDefender.
 

whyweprotest

Well-known member
#9
The attacks I was dealing with were scored in NetDefender at 10GB/sec. Somehow they resolved the Cloudflare IP's don't ask me how as in iptables I only had their IP's allowed. Obviously they are pro's and it was over my knowledge. So I let it be handled by NetDefender.
Someone must have really had it in for that site then, 10Gb/s is close to 10m p/s. Bit puzzled since if it were layer 7 that's massive. To my knowledge CF free and pro accounts while not advertised as mitigation service can sustain quite the udp/tcp/syn slamming.