This tutorial covers some of the steps you can try to take to protect yourself from a DDoS attack. There is a Cloudflare Support Article on this as well.
I have written this from my own opinion on what you should do, and hopefully some other MVPs will contribute to this tutorial to make it even better!
Here are the first steps I would take:
Sign up for Cloudflare - Cloudflare can provide a lot of helpful tools to help you overcome a DDoS attack, even on their free plan.
Make sure all your DNS records that can be are set to , anything that is will bypass most of what you set up.
Lock down your server to only accept connections from the Cloudflare IPs, this should stop the attackers from bypassing Cloudflare and going straight for your server using its IP address.
Enable I’m Under Attack mode. You can find this under
If you can get or have a paid Cloudflare plan, enable the WAF
Replacing 192.0.2.1 with your IP address so you can still access the site without a challenge.
You don’t really want to keep this rule permenantly as it will inconvenience all genuine visitors, but it should stop / slow the attack.
Monitor the Firewall Events Log to see if there is any pattern that you can see from the attackers when they hit the captcha challenge. You can then narrow down who you present the captcha challenge to. For instance, if the attacks all come from one country, you could just challenge visitors from that country. If they all use the same user agent, you can challenge all requests from that user agent and you should be able to make your rules more specific to minimise the effect on genuine site visitors while still slowing / stopping the attack.
For example, you could use a rule like:
with the country and user agent that the attacks are coming from and captcha challenge or even block these requests.
Also, great points in this post about challenging all visitors except in certain conditions. E.g. unless from countries most commonly visited from, challenge etc.
You can do a huge amount with Cloudflare to protect youself from these attacks, especially using firewall rules, which even free users get 5 and paid plans get even more.