Limit concurrent connections from CF


some of our shared hosting server users have webistes behind Cloudflare with a lot elements (css, js, images) and when they visit their own site, Cloudflare makes over 100 concurrent HTTP connections to our web server from single IP address within 1-2 seconds. Browser by default makes max 6 concurrent connections to single domain. Due to DDoS attacks, we have limit set at 100. As a result, users visiting such sites are often locked out for 5 minutes. Even with limit raised from 6 to 200 in Firefox, it does not get to 100 connections on sites with a lot of elements when directly connecting, without Cloudflare and we didn’t notice NAT-ed ISP IPs being blocked.

Cloudflare never stops creating new connections. There is another issue - we had to limit total concurrent connections from Cloudflare on our firewall, because during DDoS attacks it makes over 10000-20000 HTTP connection despite our server returning thousands of 403 for single IP, based on real IP from header.

In general, Cloudflare should not make unnaturally high number of connections in the name of single client. Also it would be nice if there was a way for server admins to stop Cloudflare doing 10000+ connections to their servers without dropping connections on their side. If there was a way to set limit (check TXT record for PTR record of IP?), then clients receiving thousands of 403 should have lower priority and eventually be dropped and normal traffic should continue with higher priority, all within set limit.

You might look at the DDoS related limits and rules:

Also potentially worth revisiting your caching strategy to ensure you’re optimizing the ability for Cloudflare to offload requests from the origin.

1 Like

DDoS does not happen when first problem occurs (too many connections from single CF IP), it’s during normal operation.

When it comes to second problem (too many total connections during DDoS), we do not have control over our clients Cloudflare accounts.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.