How to determine if I am undering DDOS attack


Just curious about if I am undering DDOS attack. In most cases, Cloudflare will do a great work to mitigate DDOS attack and webmaster even don’t know anything happens.

How to determine if I am undering DDOS attack? Sometimes when I check the Cloudflare Analytics, I will find there’s a day have huge cache traffic, which is much higher than normal. However, there’s nothing in the “Threats”, and the uncached traffic is normal. So what is the cached traffic and threats really means?

Cloudflare will to DDOS mitigation automatically, for example, JavaScript challenge. Is it shown in the cached traffic, or the threats?

I think Cloudflare should add DDOS history feature, and it’s also a good way to let customers to promote their products.


Just to make things clear, high request peak does not mean a DDOS attack.

It could simply be someone scraping your website. As for why it only affects cached traffic, it may be that the scraper is scraping only static content such as images.


What is your definition of scraper and scrap compared to robots and crawl. It shoudn’t be robots since the site doesn’t have that much content to crawl. And for that cases, it is hard to say the high request peak it is whether DDOS or not.


To be honest, most DDoS attacks you will never even see… in any dashboard. That’s because they are layer 3/4 attacks that we absorb at our edge and may not be directly targeting your domain, but the IP address associated with it (it could be against you or any of 100 other customers). I think we have an opportunity to show those results better to folks for sure.

Beyond that, it can be a bit hard to tell and is something we continue to try to refine from a reporting standpoint. If 1,000 IPs make a single request in an hour it is much less obvious something may be amiss than if 1 server makes 1,000 requests.

Looking at your chart the key (for you) I think is that even if this was some kind of malicious activity the resource they were requesting was one cached at Cloudflare, so we were serving that without having to go to your origin.

And to add another possibility to @edricteo’s analysis it could be that someone hotlinkd to one or more assets on your page as well.

closed #5

This topic was automatically closed after 14 days. New replies are no longer allowed.