Paypal IPN notifications and DDOS protection?


I might need to enable the CF DDOS protection to mitigate/slow down some traffic during heavy sales, but I’d like to keep the Paypal IPN notifications arriving unaffected.

What’s the best way to do that? Any other way to slow down traffic to our site and yet keep the Paypal IPN notifications going?

Maybe allow PayPal IP’S to bypass the firewall (by creating a firewall rule). For more information on creating a firewall rule visit or for IP access rules visit

1 Like

That was the first thing I thought about, as that’s easy and we have many of those for other services.

Problem is that the DDOS protection comes BEFORE any other rule, as we can now see from the new ‘Traffic Sequence’ windows that CF shows (screenshot below)…in other similar posts this was mentioned as a problem.

So not sure how to do it, or how to slow down traffic in any other meaningful way for customer (instead of them just waiting with nothing happening!)

What type of plan do you have?

We are on Business Plan.

If you are experiencing surges of traffic a waiting room comes in handy for more information (and how to set it up) can be found at and an FAQ for waiting rooms can be found at

That’s interesting…but I would still need all calls from Paypal IPN to pass through, even more so with a waiting room, and those happen on same host.

I would need the whole site to be waiting room (all the pages), but I can’t see a way to exclude this or that part…it seems somehow a more complicated way than the DDOS.

I asked as well support of CF. It just surprises me how something this common with a service as common as Paypal didn’t happen before to others :slight_smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.