DDOS protection do not block flooders

Hello everyone,

Lately I have faced some flood attacks which bypass cache and DDOS protection.
The attacker used urls with random query params, like 40k requests in 30 minutes.
I use WordPress and cannot effectively cache or strip query params without affecting functionality.

Please advice, how to protect my site? Why DDOS protection didn’t work?

Thank you!

Hey! Thanks for creating a post here in the Cloudflare Community - we will do our best to help :slightly_smiling_face:

That’s the issue. 40,000 requests in 30 minutes amounts to only around 22 requests per second, which can hardly be considered a DDoS attack. From my experience, DDoS protection kicks in at a few thousand requests per second.

Could you please give an example URL where search parameters are required? It might be possible to create a URL rewrite rule that helps prevent cache busting.


Only URLs like these works to visitors /?term=elementor. It’s a one-page site.

So, is the only valid query /?term=elementor? Or is any term valid (e.g. /?term=something-else)?

There are many terms so any is valid.

Can you follow this guide and let us know with any question you have afterwards? Providing us as much information as possible is critical to help understand the attack better, the only pattern we know so far is that it attacks random paths/queries of your site.

1 Like

Great tutorial! Thank you all!

It seems I have my answer.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.