Can I combine DDoS protection from my provider with Cloudflare


#1

I know that Cloudflare currently offer CF-Connecting-IP and X-Forwarded-For headers to get the real IP address of the clients accessing a server proxied by Cloudflare (Orange Cloud) and I can install a module on my webserver to get these headers automatically:

What I want to know is:
If I’m hosting my website on a Cloud provider, like for example OVH, they actually offer DDoS protection, what will happen if all the IP addresses they are getting come from the Cloudflare anycast IP range? Is it possible to get Cloudflare IPs blocked by the DDoS protection of a Cloud provider?

----EDIT
I just see that we can configure OVH external firewall and whitelist all the Cloudflare IP range. Does it prevent their DDoS protection from blocking Cloudflare requests?
There are some cloud providers that doesn’t offer a tool to manage the external firewall, should I avoid those providers if I intend to use Cloudflare as my CDN?

----EDIT2
I’m thinking:
If I whitelist all the IPs from Cloudflare on my cloud provider external firewall I’m actually disabling their DDoS protection and relaying only on Cloudflare’s protection. So my conclusion is that it is not possible to combine those two DDoS protection mechanisms. Am I wrong?


#2

It depends on what their DDoS protection is doing and how it is structured. For layer 3 & 4 attacks I can’t think of any value a DDoS solution sitting behind Cloudflare could provide. as we’d block those at our edge. Cloudflare can also block the visitor IPs of bad actors before they got to OVH… and unless they can read the x-forwarded for or another property to determine whether to block an IP they won’t be able to block traffic coming through Cloudflare’s edge. Most IP firewalls (including ours) don’t look at anything other than source IP when making a determination… and since can block it at our edge, there’s no defense in depth advantage.

So are there specific features related to DDoS that they have which we don’t? There are definitely places where a defense in depth strategy can make sense but for the most part layer 3/4 is not one of them.


#3

Thank you for your answer.

You are right, layers 3 and 4 attacks are all blocked on Cloudflare side, I didn’t think about it before.

I’m just learning about this matter and from what I read basically the most common types of DDoS attacks are layers 3, 4 and 7. With the 3 and 4 layer containing all attacks that happen at the network protocol and transport level, and 7 at the presentation layer.

Thank you for clarify this question for me. I think you answered my doubt.


#4

Yeah layer 7 is usually something like get flood requests where they are requesting a legitimate page over and over or something which a WAF would block such as a request which tries to perform a a SQL injection.

In those instances you can use a defense in depth strategy, but if the second layer firewall can’t distinguish the visitor IP then you’d want to make sure it blocks the request, but doesn’t blacklist the Cloudflare IP.