DDOS vs Rate Limiting

I am a newbie here. So I appreciate if someone can help me out with a simple answer:

1: How different is DDOS prevention from Rate limiting feature of Cloudflare? Isnt DDOS a form of rate limiting already? Is DDOS equivalent to a rate limiting with a very high rate? Do I have to activate rate limiting if DDOS is already protecting my website?

2: For Cloudflare to work, do i have to make sure the domain im trying to protect has an orange cloud showing somewhere on my website?

3: Is it possible that attackers can bypass Cloudflare and attack my host’s IP directly ? If the answer is yes, should I do anything with my DNS? (I have something about rotating IPS towards Cloudflare but I have no clue what it means)


DDoS is an attack. Rate Limiting can help attenuate the amount of requests to your site. Not everything is automatically detected as denial of service. It also helps to prevent legitimate users slowing down your website for whatever the reason is.

Not on your Website.
Just the DNS records need to be set to :orange:

Yes and no.

Even though Cloudflare hides your origin IP, your IP address could be leaked through DNS records that have Cloudflare disabled and point to your origin IP (:grey: record). This often happens with sub domains like webmail., mail, smtp … in case the mail service is running on the same host as the website does. And those records need to have Cloudflare disabled, since only HTTP(s) traffic is proxied. Best practice would be to run a second server on a different network if you want to handle mail traffic.

On the other hand it’s possible to run a random attack against networks.
You definitely need a firewall in front of your server or use the system firewall like iptables or Windows Firewall to block requests that are not routed through the Cloudflare network.

1 Like

Thanks Mark. Very enlightening. May I ask:

  1. what is a reasonable rate limiting request value per minute? is that number a function of the type of hosting as well? like shared, vps or dedicated

  2. Do you mean I should set a firewall in Cloudflare (under firewall section) or set a firewall on my dreamhost account?


This really depends on your needs and/or ressources you have. IMHO.

That’s the first option. But since Cloudflare protects your website on DNS level, your IP(s) keep unprotected againts direct attacks.

So i recommend to block any traffic if

provides a firewall within their CP or ,if you have SSH access to your VPS, to make use of iptables to block requests not routed through Cloudlare.


i couldn’t find anyway to setup a firewall through dreamhost user interface. lets say however there is a way to set up firewall through ssh access to block requests not routed through Cloudflare. but

  1. how do i tag IP s that are not routed through Cloudflare?

  2. doesn’t that mean mail requests are going to blocked as well? sinceas you explained above, mail requests are not routed through Cloudflare.


Iptables is complex. And you can block everything not coming from Cloudflare which would affect emails as well or just specific ports like 80 and 443.

Here is a guide



adding to mark, the rate limiting feature is useful in only preventing ddos layer 7 attack, there is other types of ddos attack which this feature will not help from(but Cloudflare will protect you from them), and yes if you want to be safe from layer 7 attack you need the rate limiting feature, if you are on low budget you can always enable it after the attack is happening and not 24\7 but that mean that you will suffer from downtime(but the rate limiting will anyway not protected you by 100% from downtime)

1 Like

Mark, In my Cloudflare account under DNS, I have changed all those A records to orange cloud sign. and I do not have any other record other than As. For example I do not have webmail services. I only have A records and they are all orange cloud. Do i still have to implement iptables and whitelist Cloudflare IPs? I mean is there still a way for attacker to know my dreamhost IP?

yes there is ways to know your ip, for example if you didnt changed your ip after moving to Cloudflare there is still ways to see your old dns records and find out your ip, or an attacker can scan some ip ranges, or some bots can scan randoms ip to find weakness and is good idea just to block everyone anyway


I just tested the rate limiting and it didnt work. I set a simple rate limiting rule to block access for 1 minute if request rate went above 3 requests per minute.

Then I typed my website in the browser, loaded it, and kept refreshing the page constantly and quickly. Which means for sure I exceeded the 3 request per minute rule. But my browser never got blocked.

Do you know why? I only have 1 one page website. no extensions or anything.


Dear Boynet, Thanks for your feedback. I will implement the whitelist, However I am curious what you mean exactly by " if you didnt change your ip after moving to Cloudflare there is still ways to see your old dns records and find out your ip" ? . I bought a domain 1 week ago and used it to host a brand new site via dreamhost at the same time and then activated Cloudflare on it. So what you just said above is not applicable to my case right?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.