Best practices: DDoS preventative measures

​​ Overview

Ensure your site is fully prepared for possible DDoS attacks via the recommendations below.

​​ Handle a false positive

Refer to our guide on DDoS false positive for further details.

​​ Handle a false negative or an incomplete mitigation

Refer to our guide on DDoS false negative for further details.

​​ Proxy your DNS records to Cloudflare

Attackers attempt to identify your origin IP address to directly attack your origin web server without Cloudflare’s protections. Hide your origin IP address from direct attack by proxying traffic to Cloudflare.

Set your DNS records for maximum protection via the following steps:

1. Enable the Cloudflare proxy (orange-cloud) Open external link
2. Remove DNS records used for FTP or SSH and instead use your origin IP to directly perform FTP or SSH requests. Alternatively, proxy FTP and SSH via Cloudflare Spectrum.
3. Grey-cloud A, AAAA, or CNAME records corresponding to your mail server Open external link
4. Remove wildcard records within Free, Pro, or Business domains because they expose your origin IP address. Cloudflare only protects wildcard records for domains on Enterprise plans Open external link .

​​ Managing attacks bypassing Cloudflare and do not limit or throttle requests from Cloudflare IPs

1. It is important that your origin web server  allowlist Cloudflare IPs Open external link Open external link  and explicitly blocks traffic not from Cloudflare or your trusted partner, vendor, or application IP addresses.
2. Block port 80 at your origin and enforce using HTTPS traffic by enabling the “Always use HTTPS” feature within the Edge Certificates tab of the Cloudflare SSL/TLS app or  via the Page Rules app Open external link .
3. Enable the feature Authenticated Origin Pull Open external link as this will only accept requests from Cloudflare.

​​ Restore original visitor IPs in your origin server logs

To review the real IPs behind an attack,  restore the original visitor IPs Open external link  in your origin server logs. Otherwise, all traffic lists Cloudflare’s IPs in your logs. Cloudflare always includes the original visitor IP address in the request,  as an HTTP header. Open external link  Inform your hosting provider that you use a reverse proxy and that all traffic will come from Cloudflare’s IPs when looking at current connections.

​​ Change server IP addresses after moving site to Cloudflare

Cloudflare hides your origin server IP addresses for traffic you proxy to Cloudflare. As an extra security precaution, we recommend contacting your hosting provider and requesting new origin server IPs.

​​ Use Rate Limiting to prevent brute force and Layer 7 DDoS attacks

To thwart attacks disguised as normal HTTP requests, Rate Limiting allows website administrators to specify fine-grained thresholds on the load they expect their web server to receive. With one simple click, setup basic rate limiting to  protect your login pages from brute force attacks Open external link .

Cloudflare Free, Pro, and Business plans include 10,000 free requests per month. Refer to our guide on  Cloudflare Rate Limiting Open external link  for further details.

​​ Related resources

• Cloudflare DDoS Protection Developers Guide
• Understanding Cloudflare DDOS protection Open external link
• Responding to DDoS attacks Open external link
• What is a DDoS attack? Open external link