Getting DDOS'ed by one IP hitting the same URL 400k times. Any way to get automatic protection from that?

I know I can set up firewall rules, but for that I need to know the actual IP and URL, and I can only have 5 of them.

I was hoping that Cloudflare would be able to detect abusive behavior like that and block it.

Is there a way to limit the number of requests per second/minute from the same IP?


You can block IP addresses or under IP access rules, which are practically unlimited.

As for rate limiting, check out “rate limiting” :slight_smile:

1 Like

Can I get IPs with most requests via Cloudflare?

And what if they use bot farms with thousands of IPs?

You can increase the security level or use firewall rules to evaluate cf.threat_score specifically.

Generally speaking, Cloudflare is not necessarily a one-click solution but does require some fine tuning.

1 Like

I see, thanks.

I was hoping that if there are 300k requests to the same URL from the same IP within one hour, CF would block it.

Apparently it’s not that smart yet :frowning:

Looks like I’ll have to use nginx for that:

Partially it is and Cloudflare does keep a list of IP addresses which are automatically challenged, but that does not necessarily need to include addresses which might be sending mass requests to your server at a given time.

You can Rate Limit from the Firewall Tools section. At an average of 5000 hits per minute, it shouldn’t take long for that IP address to get blocked:

1 Like

Thanks @sdayman

That’s exactly what I was looking for. It costs money, but it’s only $5 / 1 million requests, which is reasonable.

One last question: is there a way to access the most frequently requested URLs, or do I have to parse nginx logs for that manually?

I mentioned it in my very first response.

Cloudflare does not offer such a feature by default. Parsing your log files might be the most efficient way, otherwise you might want to have a look at Logflare.

There are sites that receive such traffic , I’m using Rate Limit to stop spammers. Basically the Free can only show a page saying you’re banned which is scary for a real user to see.

The Pro plan allow you to display JavaScript Captcha

Sadly my that specific site can’t justify for Pro plan yet, hopefully in future.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.