For Workers & Pages, what is the name of the domain?
What is the issue or error you’re encountering
Question about best practices
What are the steps to reproduce the issue?
Our architecture is quite distributed and it brings together a few existing systems.
We make quite a lot of use of workers to perform smart routing and act as “glue”.
We’re looking to build out end-to-end load testing, however I am under the impression that cloudflare advise against this as it may trigger DDoS protection.
I’d really prefer not to do white-box testing on each underlying system component as we’re interested in testing the scaling behaviour of the system as a whole. I’m also keen on moving more functionality to cloudflare’s edge-compute services.
Two main questions:
What sort of threshold might trigger DDoS protection? We’re simulating a reasonable peak load, but not actively trying to break the system - so we may be within limits. We’re looking at maybe 6000 rpm from 600 active sessions over six geo regions (we’re using K6 btw).
Is there any way of temporarily disabling DDoS protection for testing should we need to?
6000 requests per minute is nothing at Cloudflare scale. You’ll need to have a Workers paid plan to exceed 1000 requests per minute though.
Obviously details of what triggers DDoS detection isn’t given for security reasons. In the unlikely event you do trigger something, check the reason in your security event log.
Details on the DDoS rulesets and override options are here…
Thanks - yes I expected it’s way-off a really DDoS’s scale.
The tools provided around DDoSs are pretty good so I think I’m OK to give it a dry run and see what happens.
Something you do need to be aware of, if you’re planning to run at scale, is that if you send a lot of requests from a small pool of ips to a worker, you may run into a default anti-abuse/ddos rule that’s specific to Workers, see Limits · Cloudflare Workers docs
Cloudflare’s abuse protection methods do not affect well-intentioned traffic. However, if you send many thousands of requests per second from a small number of client IP addresses, you can inadvertently trigger Cloudflare’s abuse protection. If you expect to receive 1015 errors in response to traffic or expect your application to incur these errors, contact Cloudflare support to increase your limit. Cloudflare’s anti-abuse Workers Rate Limiting does not apply to Enterprise customers.
You can also confirm if you have been rate limited by anti-abuse Worker Rate Limiting by logging into the Cloudflare dashboard, selecting your account and zone, and going to Security > Events. Find the event and expand it. If the Rule ID is worker, this confirms that it is the anti-abuse Worker Rate Limiting.
I’ve personally triggered this anti-abuse rule in the past accidentally, while doing less than ‘thousands of requests per second’, so if you expect to potentially come near this scale, it wouldn’t hurt to create a support ticket and make them aware of your traffic scale so they can preemptively lift that default anti-abuse/ddos rule if you want.
Did the response in this thread help resolve your issue? If yes, please mark the most helpful reply as the solution by clicking the checkbox. This will help close the thread. Thanks!