Rate Limiting VS DoS


I am confused about something. Let’s say an attacker send hundreds or thousands of requests / second. This can easily be avoided with rate limiting but it is a paid option. Does Cloudflare’s free ddos protection protects us from this kind of requests or attacks ? I can’t differentiate between dos protection and rate limiting. Shortly I am concerned if an attacker sends thousands of requests and it is not blocked because I am not using a rate limiting ?


I am not with the team, don’t know the exact workings of both, but to my understanding Rate Limiting is to prevent valid requests (imagine a login endpoint or something and someone trying a bunch of username + password combinations) from happening too quickly. Wrong or attack traffic is the thing that DDoS protection works against. The rate limited traffic can come in this category if it’s too much from specific IPs I can imagine.

1 Like

it’s hard question, but from my knowledge the answer is yes, attacker can easily flood your site with requests and crash your website, and you do need rate limiting to mitigate that(I got hit by ddos attack like this before figured it out)

I believe Cloudflare has some internal rate limiting or some service to block http flood attack but in most case you can take down 99% of website even with 2000 requests per seconds, so attacker only need like 2-10 ip address to take sites down that doesn’t have rate limiting

Cloudflare’s free plan includes unlimited layer 3 and 4 DDoS protection. Some layer 7 DOS protection may occur because of features like Cloudflare’s IP reputation database, but some features which can be used to protect against DOS and other attack types are paid services.


This topic was automatically closed after 14 days. New replies are no longer allowed.