What happens when Bot Fight Mode isn't enough?

I have been encountering recurring DDOS attacks on three websites I manage for the last year and Bot Fight Mode as well as international limiters are not bringing the problem under control.

I was told that the server may have been targeted by bots before I started working for this company, and the additional activity as I updated and created new websites drew their attention. The problem was “solved” when we paid for more server space so at least we don’t have crippling slowdowns while the attacks persist, but I would like a more practical solution.

Is this something I just have to learn to put up with, or is there something I could do through Cloudflare that I haven’t thought of yet? I am very new to cyber security and am not familiar with best practices, including how to configure the WAF rules.

There’s no single answer to this questions but in general…

  1. Restrict origin connections to only go through Cloudflare.
  2. Cache as much as practical.
  3. Use rate limiting for sensitive endpoints.
  4. Cache even more.

Review best practices for DDoS mitigation:

Once you’ve done that, look to figure out what else you can optimize from a caching perspective. If it’s a sophisticated bot attack then consider Cloudflare’s Bot Management.


Thanks for your reply. This is for a website with twice-monthly news coverage. Would 1 day of caching be too little or too much?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.