Cloudflare blocked a ddos attack

Hello, I have a question to ask you. Today, I received yet another DDoS attack, with 200k calls. In the security > events section, I noticed a peak of blue color, indicating that 180k calls were blocked. Please see the attached photo.
Now, here’s the question, why if Cloudflare blocked the attack, do I still see these spikes in traffic on my server?
If Cloudflare is blocking the attacks, how are they still reaching my server? Can someone please answer me? I’m a pro user, meaning I don’t have a free account.

What is the time and number of requests scale on your server? It’s possible those are an initial surge in queries in the time it takes Cloudflare to determine there is a DDoS (as opposed to just a valid spike in traffic), or requests that Cloudflare didn’t block within the larger scale of an attack.

1 Like

But wait, doesn’t Cloudflare handle everything on its server when there’s an attack? I thought this: Cloudflare receives the attack > verifies it > then passes it to my server. However, I find my server experiencing high spikes with each attack. My server has 16 vcores. I’d like to understand how Cloudflare’s logic works. Does it use my server to mitigate the attack? This would explain the CPU and incoming traffic spikes on my server.

The time scale on your graph isn’t clear, but if that 60 is just 60 (say a few hundred requests under your whole graph) that’s not a significant spike compared to the 200,000 requests Cloudflare blocked. It’s unlikely Cloudflare can block every single request from a DDoS, depending on the attack pattern.

Imagine the first request comes in, how can Cloudflare tell it’s a DDoS? How about after 10 requests? 100 requests? Perhaps that’s just the site being a bit busy. I’d say the DDoS protection kicked in very well here.

If you want to tighten things further, then check out this guide…


I just want to understand the logic, that’s all. And I’ll repeat the question: if Cloudflare blocks 200k requests, with 964 interactive checks and 407 managed checks, what gets through to my server? So, the question arises: does Cloudflare use my server to mitigate the attack or does it use its own? I really don’t understand. If it uses its own, I shouldn’t receive those spikes, because even managed checks prompt a captcha that blocks IPs, same with interactive checks. I’m confused, and no one seems to be able to provide a solution or an answer.

I’ve read that guide, and it’s off-topic with my question.

0-1300 requests would reach your server, depending on if the challenges were solved by a human - if they were from a DDoS, likely none of those would get through.

If determined to be a DDoS request, Cloudflare blocks the requests at the PoP that the request arrived at (anycast routing makes that work). Obviously it won’t send the request on to your server as that would make the protection useless.

You can read more here…


This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.