We are an hosting provider, and we use cloudflare to protect Web servers Layer 7 from DDOS Attacks. But today, a big DDOS Attack (Botnet / IP Spoofing related) is attacking Layer 7. And website is down. We already protected Layer 3 and 4 and it’s now OK, but the last issue is Layer 7. The free plan can’t protect against this big attack we think, so we would like to purchase Pro plan. Can you confirm the WAF Firewall will protect against this kind of attack without put a captcha on the website ?
In general the PRO plan doesn’t do any more in terms of automatic rate limiting. CF already protects against HTTP floods but only for real volumetric attacks - if you have a slow server that is crippled when hit with 50 requests/sec, CF isn’t going to magically make that stop. The pro plan does provide more tools to mitigating DDOS though, so you could figure out a pattern in the way the attacker is attacking and block that.
There is CF waiting room which almost sounds like what you’d like, but it’s currently only available to Project Fair Shot so that COVID vaccination services can ensure fair access to their services.
Hi @hapidev !
I’m Cloudflare’s DDoS Protection product manager.
Our DDoS protection systems trigger at various rps thresholds (depending on the system logic/attack vector) to avoid false positives, or when your origin shows signs of struggle in the form of over 150 errors per second (from the 5xx range). Other than that, if you’re under attack, I suggest enabling “Under Attack” mode which will challenge all requests to your website.
The WAF will only help if the requests match WAF/Managed rules/criteria and the requests themselves might actually be ‘valid’ but just in a high rate.
The Pro plan will also give you access to Firewall Analytics which will give you insights into the attributes of the attack, which can then help you craft Firewall rules to mitigate the attack (e.g. by user agent, path, method, etc.).