Why do I have to be rich to block countries?

Is the internet only for the super rich? I don’t have $250-$1000 a month to get enterprise to block countries. Why is this simple, basic feature need me to be super wealthy? This is absurd!

You can block countries on the free plan.

In the WAF, under Tools. Magic link: https://dash.cloudflare.com/?to=/:account/:zone/security/waf/tools

“you must have enterprise for this feature”

You can block a longer list of countries with a Custom Rule. Choose “Country”, and “Is in”, and you can give a list of countries.


Thank you for that, looking into that now! With rate limiting can you tell me what I would put in the “If incoming requests match…” under “:Edit rate limiting rule”. My sites getting hit hard and a simple answer to this overcompilciated, overwhelming software could potentially help since it’s the same ips hitting 10 times every 2 seconds

Rate limiting options are pretty limited on a free account, but you could just put something that will match all requests, like the path starts with /

1 Like

You actually just ended like 4 days of stress I blocked like 15 countries and the attack has been cut down tremendously and my sites loading again. AI’m still getting USA/Canada hits so thats why I’d like to impliment this rate limit and really appreciate your help and advice. In terms of what you’re saying with the free plan, would I just set the expression like this: “URI” path “equals” “/”?

URI Path starts with /

“Starts with”, not “equals”, to match all requests. (I’m not sure why it doesn’t allow you to just say “all requests”.)

Don’t include the quote marks, just /

1 Like

Real one brother. You’re a legend. Is there any other tricks I can do to cut down on these ddos attacks? I’m a complete noob at this.

1 Like

When I add more countries it doesn’t block them, do I just do

Country ->> Equals >> Country then And–> and repeat? doesnt have any activity like the single rule countries do

You can just select “Country” and “Is in” and then add a list of countries.


Thats doing the trick I think, some countries are still showing in the events for HTTP DDOS… even know they’re blocked, any idea?

See this? Why is Indonesia still able to hit and its not blocking it its just a “managed challenge”?

HTTP DDoS runs before the WAF rules you create, these requests are blocked before the WAF can evaluate them.


I need a solution to block these countires not give them a “managed challenge”. The block country setting is set to “block” but its not following the protocol. What am I doing wrong?

The requests aren’t actually getting through, right?

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.