Cloudflare Best Practices for DDoS Protection
Learn essential strategies to safeguard your network from DDoS attacks with Cloudflare's best practices for effective protection.
Written by I. Solomon
Updated at February 12th, 2025
Table of Contents
Introduction
This article outlines the best practices for implementing Cloudflare Cloud Web Application Firewall (WAF) security configurations that are essential for application DDoS protection. It is aligned with the Red Button DDoS mitigation strategy and serves as a guideline for optimizing Cloudflare Cloud WAF for customers.
Article Overview
The following features are covered in this article:
DNS Records Extraction
Caching Settings
Bot Management
Challenges
Custom Firewall Rules
Advanced Rate Limiting Rules
Each feature can be consulted independently, allowing for parallel execution of steps based on the importance of protected web assets.
1. DNS Records Extraction
To begin, extract the customer's DNS records to identify all subdomains that require DDoS protection. Follow these steps:
Navigate to Choose a website → DNS → Records.
Use the “Import and Export” button to download the DNS records into a text file, which can be converted into Excel for easier analysis.
Review the list with stakeholders to prioritize important endpoints, excluding staging and irrelevant subdomains from the hardening scope .
2. Caching Settings
Caching Level
The caching level determines how much of the website’s static content is cached by Cloudflare. The three options are:
Standard: Different resource for every defined query string.
Ignore Query String: Same resource delivered regardless of the query string.
No Query String: Files cached only when there is no query string.
Recommendation: Use the Standard option, and configure specific caching needs using Cache Rules when necessary .
Cache Rules
Configure Cache Rules to specify which resources should be cached and for how long. Common uses include:
Caching HTML files.
Respecting origin server caching headers.
Enabling advanced caching features .
Tiered Cache
Enable Tiered Caching to optimize performance, allowing upper-tier caching servers to request content from the origin and distribute it to lower tiers .
3. Bot Management
Cloudflare’s bot management service assigns a bot score to each request. Recommendations include:
Create a custom firewall rule to block requests with a bot score of 1.
Set a rate limit rule to block requests with low bot scores.
Block requests with unique JA3 fingerprints during incident response .
4. Challenges
Cloudflare challenges can protect endpoints served by human interfaces. Types of challenges include:
Managed challenges.
JS challenges.
Interactive challenges (CAPTCHA).
Best Practice: Conduct a challenge lab in a staging environment to ensure legitimate traffic can bypass challenges .
5. Custom Firewall Rules
Custom firewall rules can be configured for various use cases including:
Blocking Bot Score 1 requests.
Enforcing challenges for sensitive endpoints.
Blocking malicious ASNs and undesired countries .
6. Advanced Rate Limiting Rules
With the deprecation of Basic rate limit rules, Advanced rate limiting rules are recommended. Steps to configure a general rate limit rule:
Choose “Host” in the Field dropdown and enter the hostname.
Uncheck “Also apply rate limiting to cached assets”.
Set the unique identifier to “IP”.
Establish a threshold, starting with a 10-second or 1-minute interval.
Set action to “Log” initially, then switch to “Block” after tuning.
Change the response code to 403 to avoid revealing the rate limit nature .
Tuning Rate Limit Rules
To fine-tune rate limit rules, use a trial-and-error method over 1-2 weeks. Adjust thresholds based on real traffic and observe violations to reach an optimal setting .