DDoS Protection needs to be improved

Hey there

I want to give feedback about the DDoS Protection.

First of all, I’m a web developer from germany and lots of my customers are relying on Cloudflare. In general it works pretty well, cdn caches and the uptime is always fine.

But if we talk about DDoS and attackers who have high-end botnets, the protection is really useless. Those people knows exactly how to bypass Cloudflare in any way.

Customers settings:

  1. Cloudflare DDoS Protection is activated
  2. under attack mode is on
  3. Lots of countries are blocked from where the DDoS comes from
  4. Captcha / JS Challenge is active for everyone (firewall settings)

As far as I can see on my hosting, Cloudflare IP’s are coming through and ddosing the backend server. It’s like Cloudflare doesn’t even exist. There are also lots of paid services to bypass the hcaptcha and bots can pass. Or you can hire a ddos office in india with 100 real humans, who solves captcha 24/7. If a bot client waits up to 5 seconds, the js challenge will be gone, same for a solved captcha. And after that you have practically an open door for l7 attacks.

Cloudflare should add a captcha which cannot be bypassed. Automatic reactivation of human verification if e.g 10 requests per second came in (without having a paid rate-limiting activated). Other providers already have this rate-limiting like ovh or blazingfast for free and without any required configuration. I know that there are blind people who needs a “bypass” because they cannot solve the captcha. But it would be enough if Cloudflare adds a second captcha mode, where a bypass is not possible and that the website owner could decide between the captchas.

For very bad and dump ddos attacks, Cloudflare may work. But if someone really wants to take you down, it’s no problem if you have Cloudflare.

In the end Cloudflare is ddosing you:

If that was possible, someone would be a billionaire just for creating it.

If a human can do it, a bot can replicate it with enough time.

A captcha wouldn’t stop them anyways?

You get 10,000 free requests (valid) with Cloudflare’s rate-limiting.

The managed rulesets cover the vast majority of attacks, anything more and you should be investigating it & adding your own rules like in the below guides.

There’s the WAF Managed Rulesets, OWASP Rulesets, Rate Limiting, Firewall Rules, Security Level, Browser Integrity Check and a whole host of other features that are meant to operate in tandem - no single feature will stop all attacks for you.


Hi KianNH

it is really easy to implement a captcha which cannot be bypassed. The problem is just, that hcaptcha which will be used by Cloudflare, can be legitime bypassed. Same goes for recaptcha from google.

Regarding the “ddos office”, I know it sounds weird, but you can hire them to work for you. They resolve captchas and e.g for each resolved captcha per client, you can send multiple 100 requests per second. After the captcha is solved, Cloudflare does nothing.

In this case Cloudflare is just useless expect you buy rate-limiting which will maybe help but it’s not 100%. If you have a big botnet, you can still send thousands of requests per second which would go through the WAF.

One of my customers changed from Cloudflare to another service and the ddos has been stopped immediately. You told that you need multiple settings to stop ddos. But you just need a working human verification system. Others have already done this with success.

Your idea of ‘cannot be bypassed’ is likely ‘not bypassed by public tools’ - any captcha will be bypassed eventually.

And the aforementioned ‘cannot be bypassed’ captcha would do nothing against humans doing the captcha.

What does & doesn’t go through the WAF is up to your rules.

And if you get past this human verification system, what’s next? Your site goes down?

That’s why there’s multiple features available to you, security comes in layers and there is no single answer.


Those are pretty poor settings if you ask me :man_shrugging:

This exists for all captcha services.

This is wrong.

It doesn’t exist.

Relying on CAPTCHA or JS Challenges for complex attacks is foolish, it’s always been like that.
It’s not a weakness of Cloudflare, it’s something that affects all providers equally.

You can add bot management and further challenges to make it harder for attackers and it works well most of the time. At some point, if attacks go beyond normal complexity, you need to add rate limit, session inspection, and fingerprinting. Going beyond that is most of the time absurd.


It’s called captcha farms, and it’s not weird. They have been on the internet for decades.

I’d expect somebody who isn’t very familiar with Cloudflare stack to say this.

That’s fine, different services work best for different people.

Your thread isn’t feedback but rather a rant from somebody who isn’t familiar with Cloudflare and expects two tools (Captcha and JS) to solve all their problems. Everybody in the community knows that attacks can solve those two challenges, these layers are made to add costs and complexity to attacks, if they were 1-trick ponies against attacks there would be no reason to have dedicated teams to monitor and mitigate attacks 24/7.
Neither there would be a reason to invest millions in R&D of new techniques to stop and detect attacks.

As for the competitor/another vendor you found, I’m glad that their service works for you; I’m looking forward to seeing if their challenge is as resilient after handling 20% of the internet traffic.


Implementation of an appropriate security level is hard. In addition to simple captcha or JavaScript bypass both of which are an arms race, Cloudflare offers a number of additional protection levels…. These aren’t necessarily free or easy. There is a WAF and there are rate limiting and bot management solutions. Have you tried Cloudflare’s Bot Management solutions? Their enterprise level comes with some nice custom handholding, but it has a price because dealing with innovative attacks requires human intervention and intelligent interpretation.

There are other strategies such as aggressive caching which may work for some but ultimately top tier DDoS protection requires top tier services… which aren’t available for $20 or $200 a month (or an hour).


I will broker that deal and promise you 1M US minimum payout if you contact me and provide a solution I can’t bypass in 48 hours.


Cloudflare is’nt ddos’ing you. It’s just spawning connections as a pass through.

If your server cant deal with that you need to increase it’s capacity, or indirect check what in detail is going on and apply a rate limiting. Cloudflare DDOS is perfect, but you expect that if you just setup the nameservers everything will be well.

If your a dev you know that Cloudflare is a tool, that you need to understand, learn and put to work for you after proper configuration.

If you read my post, I said that “under attack” was enabled and captcha challenge has been activated for everyone. Even entire continents has been blacklisted.

A DDoS comes through because Cloudflare is bad and doesn’t block obviously attacks. The botnet bypassed the entire Cloudflare settings of my customers. Ratelimiting doesn’t fix everything. Ff your botnet is big enough, you can even send millions of requests without getting rate-limited. No webserver in the entire world can handle those amount of requests, if you run php-fpm on it. Your RAM and CPU will always go up to 100%.

You can very easily say something like “Cloudflare is perfect”, “just activate function foo” or whatever. But if you deal with high targeted websites caused by ddos attacks, you will think different.

n the past I have already dealed with 600 gbit ddos attacks. We had a very expensive arbor firewall and we had employees working just on mitigrating the ddos attacks the entire day. I just wanna tell you that just setting up some configuration doesn’t fix anything. The attackers changes their signatures everytime. And specially Cloudflare can be bypassed very easily.

What kind of high profile website are you running to be under attack for quite some time?

I’d suggest diving into what they want, and take properiate action against it. CF is a tool; not a universal protector. It will simply push traffic through as a pass-through as Cloudflare is intended.

@ maxchri.development

Consider deploying “litespeed”

I have 2 server on which one simple PHP FM 7.4 with apache and one with Litespeed as a replacement for PHP FM and such.

Litespeed is capable of driving quite alot MORE websites on the same (hardware) resources then the plain apache / PHP FM 7.4 thing.

The best example i can give is this; not just significantly increases it the time to first byte with for example wordpress sites, the resources required are far less and making me able to deploy 200+ more websites and i’m talking big thriving sites on the same machine without crapping out or having high load / out of resource issues.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.