Rate Limiting Billing Question Regards DDoS?

Hey all. I just had a general question about the rate limiting billing. I recently received a ddos attack on my website, and noticed the rate limiting number went to about 27k in a matter of minutes due to the attack. I noticed on the rate limiting page for cloudflare, it states that I am only charged for real visitors, not attacks. How can I tell what my total billing will be, or what the total amount of real users that hit the rate limiting page?

The idea behind the rate limit feature is that those visitors that are not affected by the rules you set, are legitimate visitors and therefore are subject to charge.

Is it normal to be getting billed for DDoS attacks via rate limiting? As I said, within a few minutes of a DDoS attack, the rate limiting activity sky rocketed to 27K. I assume for longer attacks, this would range in the millions. Would I be billed for those attacks if rate limiting was enabled? Or is there somewhere to view the true rate limiting activity from real visitors and what I will be billed? That is more my question and worry.

the analytics chart shows via dotted vs solid/undotted lines see https://support.cloudflare.com/hc/en-us/articles/115001635128

View Rate Limiting analytics in the Cloudflare Analytics app under the Security tab. Rate Limiting analytics uses solid lines to represent traffic that matches simulated requests and dotted lines to portray actual blocked requests. Logs generated by a Rate Limiting rule are only visible to Enterprise customers via Cloudflare Logs.

Cloudflare returns an HTTP 429 error for blocked requests. Details on blocked requests per location are provided to Enterprise customers under Status Codes analytics in the Cloudflare Analytics app under the Traffic tab.

HTTP 429 includes 429 responses returned from the origin if the origin web server also applies its own rate limiting.

Rate Limiting is billed based on the number of good (not blocked) requests that match your defined rules across all your websites. Each request is only counted once so you will not be double charged if a request matches multiple rules.

By configuring rate limit thresholds, you in fact decide what is a good request and what is bad. So if you have a very lenient rate limit of 10,000 requests/second with a layer 7 application level DDOS attack trying to do HTTP request attacks at 100,000 requests/sec, you would in theory have 90,000 requests/second blocked and not billed while you’d be billed for the good 10,000 request/seconds threshold you set.

So if you set rate limit at 90 requests/second, you are allowing up to 90 req/sec good requests in so that over 5 minutes = 90 x 60 x 5 = 27,000 good requests (potential max) you’d be billed for. If DDOS attack is at 200 requests/second, than you’d don’t pay for the 110 req/sec over that 90 req/s threshold If DDOS attack it’s under 90 requests/second, you will be billed for it as it’s considered a good request under your pre-defined threshold.

If you want to reduce rate limit costs, utilise CF Firewall rules to reduce the surface area/paths that a DDOS attack can take https://developers.cloudflare.com/firewall/cf-firewall-rules. Some common use case examples https://developers.cloudflare.com/firewall/recipes. You may need a deeper understanding of your web app/scripts ins and outs to come up with CF Firewall rules specific to your web app usage.

1 Like

This makes some more sense. I also have another question. Lets say a singular IP from an attack is sending off over 5k+ requests, would I be charged for all 5k?

depends on duration of those 5k requests and whether they are under or above your pre-defined rate limit threshold over that attack duration

1 Like