Cloudflare is a company that provides content delivery network (CDN) and distributed DNS services by acting as a reverse proxy for websites. Cloudflare’s free and paid services can be used to improve the security, speed, and availability of a website in a variety of ways.
In this tutorial, you will learn how to use Cloudflare’s free tier service to protect your web servers against ongoing HTTP-based distributed denial of service (DDoS) attacks by enabling “I’m Under Attack Mode”. This security mode can mitigate DDoS attacks by presenting an interstitial page to verify the legitimacy of a connection before passing it to your web server.
This tutorial assumes that you have the following:
You must also sign up for a Cloudflare account before continuing.
Note: This tutorial will require the use of Cloudflare’s name servers.
Before using any of Cloudflare’s features, you must configure your domain to use Cloudflare’s DNS.
If you haven’t already done so, log in to Cloudflare.
After logging in, you will be taken to the Get Started with Cloudflare page. Here, you must click the Add site button at the top to add your website to Cloudflare:
Enter the domain name that you want to use Cloudflare with and click the Add Site button. You should be taken to a page that looks like this:
In this tutorial, we will select the Free plan option. If you want to pay for a different plan because you want additional Cloudflare features, feel free to do so. Then, click the Continue button.
The next page shows the results of the DNS record scan for your site. Be sure that all of your existing DNS records are present, as these are the records that Cloudflare will use to resolve requests to your domain. In our example, we used flippeddev.com
as the domain:
Note that, for your A and CNAME records that point to your web server(s), the Status column should have an orange cloud with an arrow going through it. This indicates that the traffic will flow through Cloudflare’s reverse proxy before hitting your server(s).
The next page will display name servers that need to be removed and the Cloudflare name servers that should be added. Here is an example of what the page might look like:
To change your domain’s nameservers, log in to your domain registrar control panel and make the DNS changes that Cloudflare presented. For example, if you purchased your domain through a registrar like Google or NameCheap, you will need to log into the appropriate registrar’s control panel and make the changes there.
The process varies based on your particular domain registrar. If you can’t figure out how to do this, it is similar to the process described in How to Point to DigitalOcean Nameservers From Common Domain Registrars except you will use the Cloudflare nameservers instead of DigitalOcean’s.
In the example case, the domain is using DigitalOcean’s nameservers and we need to update it to use Cloudflare’s DNS.
When you are finished changing your nameservers, click the Continue button. It can take up to 24 hours for the nameservers to switch but it usually only takes several minutes.
Because updating nameservers takes an unpredictable amount of time, it is likely that you will see this page next:
The Pending status means that Cloudflare is waiting for the nameservers to update to the ones that it prescribed (e.g. olga.ns.Cloudflare.com
and rob.ns.Cloudflare.com
). If you changed your domain’s nameservers, all you have to do is wait and check back later for an Active status. If you click the Recheck Nameservers button or navigate to the Cloudflare dashboard, it will check if the nameservers have updated.
Once the nameservers update, your domain will be using Cloudflare’s DNS and you will see it has an Active status.
This means that Cloudflare is acting as a reverse proxy to your website, and you have access to whichever features are available to the pricing tier that you signed up for. If you’re using the free tier, as we are in this tutorial, you will have access to some of the features that can improve your site’s security, speed, and availability.
We won’t cover all of the features in this tutorial, as we are focusing on mitigating ongoing DDoS attacks, but they include CDN, SSL, static content caching, a firewall (before the traffic reaches your server), and traffic analytics tools.
Also note the Settings Summary, right below your domain will show your website’s current security level (medium by default) and some other information.
Before continuing, to get the most out of Cloudflare, you will want to follow this guide: Recommended First Steps for All Cloudflare Users. This is important to ensure that Cloudflare will allow legitimate connections from services that you want to allow, and so that your web server logs will show the original visitor IP addresses (instead of Cloudflare’s reverse proxy IP addresses).
Once you’re all set up, let’s take a look at the I’m Under Attack Mode setting in the Cloudflare firewall.
By default, Cloudflare’s firewall security is set to Medium. This offers some protection against visitors who are rated as a moderate threat by presenting them with a challenge page before allowing them to continue to your site. However, if your site is the target of a DDoS attack, that may not be enough to keep your site operational. In this case, the I’m Under Attack Mode might be appropriate for you.
If you enable this mode, any visitor to your website will be presented with an interstitial page that performs some browser checks and delays the visitor for about 5 seconds before passing them to your server. It will look something like this;
If the checks pass, the visitor will be allowed through to your website. The combination of preventing and delaying malicious visitors from connecting to your site is often enough to keep it up and running, even during a DDoS attack.
Note: Visitors to the site must have JavaScript and Cookies enabled to pass the interstitial page. If this isn’t acceptable, consider using the “High” firewall security setting instead.
Keep in mind that you only want to have I’m Under Attack Mode enabled when your site is the victim of a DDoS attack. Otherwise, it should be turned off so it does not delay normal users from accessing your website for no reason.
If you want enable I’m Under Attack Mode, the easiest way is to go to the Cloudflare Overview page (the default page) and toggle it on in the right sidebar:
The security settings will immediately switch to I’m Under Attack status. Now, any visitors to your site will be presented with the Cloudflare interstitial page that was described above.
As the I’m Under Attack Mode should only be used during DDoS emergencies, you should disable it if you aren’t under attack. To do so, go to the Cloudflare Overview page, and it back off. This will open a modal like this:
Then select the security level that you would like to switch to. The default and generally recommended, mode is Medium. Your site should revert back to an Active status, and the DDoS protection page will be disabled.
Now that your website is using Cloudflare, you have another tool to easily protect it against HTTP-based DDoS attacks. There are also a variety of other tools that Cloudflare provides that you may be interested in setting up, like free SSL certificates. As such, it is recommended that you explore the options and see what is useful to you.
You can learn more about using Cloudflare to protect your sites with our How To Host a Website Using Cloudflare and Nginx on Ubuntu 22.04 tutorial.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
This comment has been deleted
Hi Mitchell, Nice tutorial. One of my friend added his website on CloudFlare, but it is making some error.
Any professional advice how to resolve this problem.
What’s the error?
I’d highly recommend you remove the wildcard * record as it will leak out the origin server IP, as you don’t have the option of an orange cloud (proxy on) for wildcard records:
Hi Marty,
that’s a really good tip :) should really be corrected in the post.
You’re absolutely right! Including a wildcard
*
record with Cloudflare can indeed expose the origin IP, as wildcard DNS records don’t get the same protection (like the orange cloud proxy) that standard records do. This can allow attackers to bypass Cloudflare’s defenses and access the server directly.Thanks for pinpointing this!
Hey Mitchell, thanks for the Tutorial. I have a little Problem. I’ve added the nameserver 2 weeks ago correctly to my website(panel), but cloudflare still say “Status: Pending”. What could be the Problem there?
If your Cloudflare account shows a “Status: Pending” message after adding your nameservers, here are some potential issues and solutions to consider:
Propagation Delay: DNS changes can take up to 48 hours to propagate. Since it’s been two weeks, this is likely not the issue, but it’s always worth checking.
Nameserver Configuration: Ensure that you have correctly set the Cloudflare nameservers at your domain registrar. Double-check the following:
Domain Registrar Issues: Sometimes, the registrar may have issues applying the nameserver changes. Log in to your registrar’s account and verify:
Domain Status: Ensure that your domain is not locked or has any other status issues (such as being suspended or on hold). Check for any notifications from your registrar regarding the domain’s status.
DNSSEC Settings: If you have DNSSEC enabled on your domain, it may conflict with the nameserver change. Either disable DNSSEC or ensure it is correctly configured for Cloudflare’s nameservers.
Cloudflare Support: If everything appears correct on your end, it may be beneficial to reach out to Cloudflare support. They can provide insights into why the status is pending and if there are any specific issues with your account or domain.
Using the Correct Domain: Verify that you are checking the correct domain in your Cloudflare account, especially if you manage multiple domains.
Checking WHOIS Information: Use a WHOIS lookup tool to check the current nameservers associated with your domain. If the nameservers listed there do not match Cloudflare’s, the changes may not have been applied correctly.
If you address these points and still see “Pending,” contacting Cloudflare support is the best next step to resolve the issue.
Regards
Hi, Recently i received a huge bot attack on my website. And cloudflare did not even bat an eye, or give me any notifications. My CPU consumption went upto 100% and it broke my website. The “im under attack mode” did not do any good.
The attack basically used a lot of my php-fpm service, and it crashed. Is there any other service, or program that you can recommend?
PS - i dont use wordpress, but do use php
I’m sorry to hear about the issues you’ve experienced with your website. Bot attacks can be incredibly frustrating, especially when the protections in place don’t seem to work as expected. Here are some alternative solutions and best practices to help mitigate future attacks:
Rate Limiting: Implement rate limiting on your server to restrict the number of requests a single IP can make in a given timeframe. This can be done using web server configurations like Nginx or Apache.
Web Application Firewall (WAF): Consider using a WAF to filter and monitor HTTP traffic to and from your web application. Solutions like ModSecurity (for Apache and Nginx) or cloud-based WAFs from providers like Sucuri, Imperva, or F5 can help block malicious traffic before it reaches your server.
IP Blocking: Use firewall rules to block specific IPs or ranges known for malicious activity. If you notice repeated requests from certain IPs during an attack, you can temporarily block them.
Bot Management Solutions: Implement solutions specifically designed for bot detection and mitigation, such as Distil Networks or PerimeterX. These services can help differentiate between legitimate users and bots, providing more granular control.
Application Performance Monitoring (APM): Use APM tools like New Relic, Datadog, or AppDynamics to monitor your application’s performance in real-time. This can help you identify and react to issues like high CPU usage before they lead to crashes.
Optimize Your PHP Code: Analyze your PHP code for performance issues. Implement caching strategies (using OPcache, Redis, or Memcached) to reduce the load on your PHP-FPM service.
Scaling Resources: Depending on your hosting setup, consider increasing your server resources (CPU, memory) temporarily during attacks or switching to a hosting provider that offers better auto-scaling capabilities.
Traffic Analysis Tools: Tools like Google Analytics and server logs can help you identify traffic patterns, enabling you to better understand the nature of the attacks and how to block them effectively.
Content Delivery Network (CDN): Using a CDN can offload traffic from your origin server, distributing the load across a network of servers. This can help mitigate the impact of sudden traffic spikes.
Regular Security Audits: Regularly review your server’s security configuration and make necessary updates to keep up with best practices.
Combining these approaches can significantly enhance your website’s resilience against bot attacks. Additionally, always keep your server software, libraries, and dependencies up to date to minimize vulnerabilities.
Regards
There where so restrictions that had us back away from CloudFlare. If I recall correctly there are limits on what certificates are allowed and the level of protection with some items we wanted restricted to the $2400+/yr plans.
While the free plan offers robust DDoS protection, higher-tier plans, such as Business and Enterprise, provide additional features like advanced rate limiting, tailored rulesets, and flexible threat prevention. These plans are designed for organizations with more complex security needs.
Regards
Apart from the recent “CloudBleed” controversy, this CF thing has been a terrible solution since its inception. I tried it a few years ago. My own traffic, and those of known friends, was being flagged as malicious. To get to my humble site with just about 50 unique visitors a week, CF showed “verify yourself” nonsense.
I think DO needs to invest in a proper DDOS protection like Vultr etc. Otherwise it’s quickly becoming a less attractive service.
Heya,
Our DDoS Protection is a free, always-on service that safeguards your DigitalOcean cloud resources from a range of generalized, network-layer DDoS attacks to help ensure your apps & websites run without disruption.
You can find more information here:
https://www.digitalocean.com/products/ddos-protection
flare offers robust DDoS protection with a global network, capable of mitigating large-scale attacks across various OSI layers. Their service is known for handling high-volume attacks effectively, with automatic mitigation typically occurring within seconds.
Regards
Hi Mitchell,
Would anything else need to be done if I have multiple (2) subdomains under digital ocean?
If you have multiple subdomains under DigitalOcean and are using Cloudflare, each subdomain (or its respective DNS record) needs to be correctly configured in Cloudflare to benefit from Cloudflare’s protection and proxy features.
Regards
Use the Cloudflare API to automatically turn this feature off to remove attack embankments. A simple script shell provided on linux can work well
Yes, using the Cloudflare API is a great way to automate security settings and dynamically respond to attack conditions. Here’s a basic shell script to toggle “Under Attack” mode with the Cloudflare API. This script can be used to enable or disable the mode based on your server’s conditions, for example, if you detect unusual traffic.
Regards
Uh no, Don’t use cloudflare, its the most unreliable service ever And it is more bypassable than actual ddos integrated protection itself Yes Cloudflare helps proxy the actual main ip However it does not defend things very well. Their DDOS Protection fails consistently sometimes
If you’re looking for robust DDoS protection, consider dedicated providers. These services offer more customizable protection, tailored to higher traffic and more complex threats, although they are typically more expensive.
On the other hand, combining Cloudflare with server-side hardening can add layers of protection:
Cloudflare has its advantages, particularly for smaller-scale protection needs, but for higher assurance, dedicated services and local server security adjustments might be more effective.
Regards