DDOS protection
- Is protection enabled by default for all domains?
- Is it free of charge and unmetered on the Free plan and how does it work?
- Can I make adjustments to it using infrastructure code such as Pulumi?
10 Replies
Yes to all 3
DDoS protection is always-on for any proxied records, but it'll need a large attack to take action.
cool, what would be scope of attack be?
I will implement rate limiting as well, is that possible with Cloudflare?
and can I monitor DDOS metric for attacks?
Yes, also free. See https://developers.cloudflare.com/waf/rate-limiting-rules/
Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs
Rate limiting rules allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.
If an attack is blocked at the DDoS layer (not from rate limiting or otherwise but the automatic DDoS protection) you'll get an email. Otherwise I'm not sure - some plans have analytics but I'm not sure what kind of analytics Free has
Thanks
Would it be sufficient to implement rate limiting only at cloudflare or should I do it as well at the hosting provider regardless if I restrict cloudflare to be the only white listed ip that can access my apis?
And do cloudflare provide protection for apis specifically?
Sufficient at Cloudflare only, I think. As long as you restrict only Cloudflare IPs to accessing your server, Cloudflare's rate limiting is going to be far more robust than whatever is at your hosting provider (Cloudflare has over 450 locations that can absorb traffic, if needed, versus a single one at your webhost).
It depends on the level of flexiblity you want as well. Free or even Pro rate limiting is rather limited. If you want to do something like per-api key rate limiting you are out of luck. You could do a hybrid approach, a single global rate limit via CF Rate limiting and more specific ones in your own app. Discord does exactly that, as an example
Yeah that is what I am thinking as it is quite easy to implement in my code. I mostly think of ddos protection and rate limiting to prevent massive attacks that could impact my cost and the performance of the app
I have tried getting proxy of the domains to work before but I have not succeeded at that yet. Do you know what the requirements are for this to work so I can implement ddos protection and is it possible for me to test if ddos protection is working properly by creating a small ddos attack by myself and targeting my domain?
What issues are you seeing getting the proxy to work?
I will check that soon
@HardAtWork specifically I am having trouble proxying traffic from cloudflare DNS CNAME record to Azure Static Web Apps service
Hmm I think this is an error on my part because the issue only occurs when pointing to a static site which obviously is not relevant in terms of DDOS protection to my knowledge at least
it works fine for Api, however it does mean I can not take advantage of traffic policing and caching and so on with Cloudflare for the initial request to download static site files, which would be nice