DDoS attacks can be stopped by CloudFlare

Since Christmas, one of my domains has been hit by about 2,071 different connections per minute, not a lot you may think, but it slowly started to overload my server until it crashed. I upgraded the server, and it again crashed. In the end, I had to increase the performance of the server 60x until it responded to the requests I was getting, upon which point I realised there wasn't much I could do.

This was due to the amount of queries that Drupal makes. I had installed things such as Boost, and other items that are meant to help minimise the footprint of each user, but it was just too much.

The options I had were either pay for the more powerful server, and accept the connections, even though none of them were legitimate (the domain itself actually redirects to my main blog, none of the connections got redirected, so a straight off domain attack), or use a man-in-the-middle DNS service, such as CloudFlare.

I had heard of CloudFlare before, but never felt the need to try it out, the guys over at RackSpace recommended it to me each time I opened a support ticket regarding the DDoS, so I got my wallet ready and went to the site to sign up.

CloudFlare has a free service

I was pleasantly surprised there was a free service, which would suffice for what I needed, I signed up and set my DNS to point to CloudFlare's servers, instantly it started to work, I could see a detailed list of what was hitting my site, and how much of those hits were bad.

My next move was to change my security settings for that particular domain to "I'm under attack!". What this does is check the user's browser and connection upon them browsing to your website, the screen looks like this:

This stopped the attack pretty much immediately, and meant I could finally downgrade the server to the setting I wanted it to be.

CloudFlare Analytics

The other fantastic thing that CloudFlare does is provide basic analytics of your users. Unlike Google Analytics, and other analytics on the market, they are mostly JavaScript based, meaning they only work if:

  • The browser supports javascript
  • They are an actual browser, not a bot etc.

This means you can get a really good insight into actually who is browsing your site:


CloudFlare in action

Below is a screencast of the start a DDoS as soon as I turn off "I'm under attack!" mode on CloudFlare:

CloudFlare DDoS protection in action from Dan Clarke on Vimeo.


Hope this helped someone, if you had any issues or questions surrounding CloudFlare, please feel free to ask.