Question if Cloudflare in-built protection will stop attacks like this

recently we were DDOS attacked, back then we had no Cloudflare enabled protection.
Now we’re on Pro plan.
My question is, will Cloudflare default security mechanisms protect us against attacks like this?
Attaching data we collected which shows what the typical attack sequence looked like.


You could always add rate limiting to your API path. It’s located WAF–>Rate Limiting Rules

I could do that but distinguishing betqwwn bot and legitimate traffic could be…non trivial.
You see if I take a look at statistics of legitimate clients which produce most hits and slowest bots/IPs, they intersect in amount of hits.


The protection you get by default isn’t the greatest and typically involves custom tunning, the odds are that you will need to keep an eye on the traffic and deploy firewall rules when a new attack hits your website.


Would upgrading to Bussiness plan help?

Not at all, only the enterprise package has a different protection that is slightly better.

The main benefit of the pro package is the added visibility vs the free plan, makes crafting firewall rules better.


So if we have a website where input IP domain can not be restricted (must be available globally), and blocking by user agent can not be performed easily, which other options do we have in general?
Can rate limiting be done on request response saying that if we unusual amount of 400, 405, 500, 404, 403 responses from our server, block the offending IP? Or only by amount of requests per time?
Also, is there an option of allowlisting API access following OpenAPI specification we have?

Cloudflare Business plan or higher can rate limit based on response HTTP status codes from ( Use custom counting expression) Rate limiting parameters · Cloudflare Web Application Firewall (WAF) docs

  • Use custom counting expression > Increment counter when String
    • Field name in the API: counting_expression (optional).
    • Only available in the Cloudflare dashboard when you enable Use custom counting expression.
    • Defines the criteria used for determining the request rate. By default, the counting expression is the same as the rule matching expression (defined in If incoming requests match). This default is also applied when you set this field to an empty string ("").
    • If you set a custom counting expression, it will not automatically extend the rule matching expression. Therefore, you may wish to include the matching expression in the counting expression. For example, you might want to perform rate limiting for clients sending more than five requests to /api/ resulting in a 403 HTTP status code from the origin server. In this case, the matching expression would be starts_with(http.request.uri.path, "/api/") and the counting expression would be http.response.code eq 403 and starts_with(http.request.uri.path, "/api/"). If the counting expression did not include the matching expression (that is, if you had set the counting expression to http.response.code eq 403), any response with a 403 status code on any URL would increase the counter.
    • The counting expression can include HTTP response fields. When there are response fields in the counting expression, the counting will happen after the response is sent.
    • In some cases, you cannot include HTTP response fields in the counting expression due to configuration restrictions. Refer to Configuration restrictions for details.

Example from my blog post Business plans also have access to WAF Attack score metrics you can use for custom WAF firewall rule creation WAF attack score · Cloudflare Web Application Firewall (WAF) docs

Note Cloudflare Rate Limiting is per data center so with 300 cities, you can still get a cumulative number of requests from all visitors spread over many Cloudflare data centers that do get through to your origin server(s). So you still need to ensure your origin server is optimised and tuned to handle some load. But you can use Cloudflare custom WAF/Firewall rules to further reduce the attack size.

You can read documentation for Rate Limits at


If I understand WAF rules well, we have no ability to block particular IP/range because it works on per-request base. How could we block (except for limited rate-limiting which we have in Pro plan) particular IP for example if we notice that URL accessed follows particular pattern?

You can block IP ranges too How do I block ip range in firewall? as part of your Firewall rule expression

I could block fixed IP ranges but that does not help when DDOS is happening.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.