Cloudflare Solutions for Enhanced Layer 7 DDoS Protection
Dear Cloudflare Team,
We have been long-time users of Cloudflare's Pro plan and are now considering an upgrade to the Business or Enterprise plan to address our evolving needs. Our API is currently facing significant challenges due to various types of Layer 7 DDoS attacks. Despite utilizing an Nginx reverse proxy and Go Fiber, along with implementing rate limiting controls, we find that these measures are insufficient in mitigating the attacks effectively.
We are prepared to invest in Cloudflare technologies to enhance our security posture. Although we have not been using Cloudflare's proxy for our API, we are planning to integrate it, confident that it will seamlessly complement our existing API system.
Given the complexity of Layer 7 threats, we believe that a comprehensive solution, possibly involving a combination of Cloudflare products, would be ideal. We are particularly interested in understanding the benefits of Cloudflare Tunnel in the context of Layer 7 defense, especially considering that complete isolation from the internet is not our primary objective. Will just regular reverse proxy with some rules mitigate most of the script kiddies attack?
We would appreciate your guidance in identifying the most suitable Cloudflare solutions to fortify our API against Layer 7 DDoS attacks. Your expertise and recommendations will be invaluable as we strive to enhance our security infrastructure.
Thank you for your assistance. We look forward to your response.
1 Reply
The role Cloudflare Tunnel plays is that you are able to not keep any ports open on your server, preventing any requests from reaching it and bypassing Cloudflare. https://www.cloudflare.com/en-gb/products/tunnel/
For the worst attacks the ddos protection will work automatically on any plan, for some attacks you will need to mitigate them manually with rules as described here: https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366
For an API you usually don't want to rely on under attack mode but rather on rate limits and blocking malicious/invalid clients based on the information you have in the logs.
If you go to Enterprise then you can take it further with API Shield: https://developers.cloudflare.com/api-shield/
If you're considering Enterprise I'd recommend reaching out to Sales who can show you how the security products can help in your unique environment and provide a demo on the features: https://www.cloudflare.com/plans/enterprise/demo/
or a free trial: https://www.cloudflare.com/enterprise-free-trial/