Knowledge Base

How to use CloudFlare to help defend against DDoS attacks

This article describes how to use CloudFlare to help defend against DDoS (distributed denial-of-service) attacks on your web site.

About DDoS attacks and CloudFlare

DDoS (distributed denial-of-service) attacks are becoming more and more common. In this type of attack, multiple computers flood a target site with so much network traffic that it responds very slowly or not at all.

CloudFlare's distributed, redundant network helps absorb the flood of traffic associated with DDoS attacks. In addition to this built-in DDoS protection, CloudFlare provides additional protections you can enable, such as “I'm under attack!” mode. This is a security level you enable when your site is under active attack. When enabled, this mode adds additional protections to stop potentially malicious HTTP traffic from reaching your site. Legitimate visitors see the following page for about five seconds while CloudFlare runs checks:

CloudFlare - I'm under attack interstitial page

After CloudFlare completes its checks, your site loads normally.

In addition to enabling “I'm under attack!” mode, you can whitelist specific IP addresses to add an additional layer of defense to your web site. The following sections describe how to do both of these actions.

Enabling “I'm under attack!” mode in CloudFlare

To enable “I'm under attack!” mode in CloudFlare, follow these steps:

  1. Log in to cPanel.
    If you do not know how to log in to your cPanel account, please see this article.
  2. In the Software/Services section of the cPanel home screen, click CloudFlare.
  3. On the CloudFlare page, click the Security icon.
  4. Next to the domain you want to protect, click Settings.
  5. In the Security Setting list box, select I'm under attack!.
    When the attack has lessened or stopped, you can reset the security level. We recommend using the High setting after an attack, which means CloudFlare challenges all visitors that have exhibited threatening behavior within the last 14 days.

Whitelisting IP addresses

In addition to enabling CloudFlare's “I'm under attack!” mode, you can prevent malicious IP addresses from accessing your site, and grant access only to specific IP addresses that you trust. This process, also known as “whitelisting”, provides another layer of protection for your site.

To do this, follow these steps:

  1. Using the cPanel File Manager or the SSH command prompt, open the /home/username/public_html/.htaccess file in your preferred text editor, where username represents your account username.
    If the .htaccess file does not already exist, create it.
  2. Copy the following text and then paste it into the .htaccess file:
    order deny,allow
    deny from all
    
  3. Use your web browser to go to https://www.cloudflare.com/ips-v4. Copy the entire list of IP addresses, and then paste it into the .htaccess file right after the deny from all line. Each IP address should be on a separate line.

    CloudFlare periodically updates this list of IPv4 addresses for its network. You should whitelist all of these IP addresses to ensure continued CloudFlare functionality for your site.
  4. Add the following text to the start of each line that contains an IP address:

    allow from 
  5. To add additional IP addresses (such as your home or office IP address) to the whitelist, use the same allow from IP_address format.

    If you do not know your own IP address, you can visit http://ipfinder.us.
  6. You should now have an .htaccess file that contains the following content:

    order deny,allow
    deny from all
    allow from 103.21.244.0/22
    [Additional CloudFlare IP addresses to allow]
    [Any other IP addresses you want to allow]
    

    Save your changes to the .htaccess file. Whitelisting is now enabled.

    To undo whitelisting, comment out the previous statements in the .htaccess file by placing a # character in front of each line (or just delete the lines entirely).

More Information

For general information about CloudFlare, please visit https://www.cloudflare.com.