Improve your site with free and paid apps:

Cloudflare Developer Fund

Cloudflare and world class investment firms invest $100 Million to deliver powerful tools for the Internet. The Cloudflare Developer Fund is looking for companies that are building apps on Cloudflare’s platform.

Protect Against DDoS Attack

Unmetered mitigation of DDoS to maintain performance and availability

Attackers are increasing their frequency and volume of Distributed Denial of Service (DDoS) attacks. By leveraging botnets and the millions of Internet-of-Things (IoT) devices, they are able to wage highly distributed volumetric attacks with greater ease and impact. In addition to higher volumes, attackers are shifting their focus from the network layer to the application layer. Application layer attacks are harder to detect, often require fewer resources to bring down a website or application, and can disrupt operations with greater impact.

DDoS attacks disrupt normal business operations by degrading website and application performance and availability, sometimes knocking them offline completely. The average hourly cost of downtime due to an infrastructure failure is $100,000 per hour. Attacks of this nature likely lead to customer churn, brand degradation, and lost business.

Websites and applications require the resilience and intelligence of a scalable network to combat the biggest and newest attacks. Protecting against threats should not degrade performance caused by security induced latencies and security services must be easy to configure to eliminate misconfigurations, which introduce new vulnerabilities.

Under DDoS attack?
Contact Our Team
UK callers: +44 (0)20 3514 6970
Singapore callers: +65 3158 3954
International callers: +1 (650) 319 8930
Related Products
Defend against the largest attacks icon

Defend against the largest attacks

Cloudflare’s network capacity is 10x bigger than the largest DDoS attack ever recorded. With 10 Tbps of capacity, it can can handle any modern DDoS attack, including those targeting DNS infrastructure.

Shared Network Intelligence icon

Shared Network Intelligence

With every new property, Cloudflare’s network becomes smarter. Cloudflare’s IP reputation database with predictive security identifies and blocks new and evolving threats across all 6 million properties on the network.

No Performance Tradeoffs icon

No Performance Tradeoffs

Eliminate security induced latencies by integrating with Cloudflare’s included performance services, including CDN, smart routing, website optimizations, and the latest web standards.

Common Types of DDoS Attacks

DNS Flood

By disrupting DNS resolution, a DNS flood attack will make a website, API, or web application non-performant or completely unavailable.

UDP Amplification (Layer 3 & 4)

An attacker leverages the functionality of open DNS or NTP resolvers to overwhelm a target server or network with amplified request traffic, meaning the payload size is greater than the size of an originating request.

HTTP Flood (Layer 7)

HTTP flood attacks generate high volumes of HTTP, GET, or POST requests from multiple sources, targeting the application layer, causing service degradation or unavailability.

Layered Security Defense

Cloudflare’s layered security approach combines multiple security capabilities into one service. It prevents disruptions caused by bad traffic, while allowing good traffic through, keeping websites, applications and APIs highly available and performant.

Layered DDoS Protection Layered DDoS Protection

Key Results

226,500,000

attacks blocked between August 2015 and November 2016 — 500,000 attacks per day — and not one was successful.

95%

total monthly bandwidth savings.

$250,000

cost savings on servers, bandwidth, personnel, and other security measures.

Read the Case Study

“Cloudflare allowed us to run President Trump’s campaign site for a fraction of the cost that the other candidates were paying, while providing us with the protection and security we needed.”

Brad Parscale

President of Giles-Parscale

Digital Director of Trump's Campaign

Flat-Rate Pricing

All Cloudflare plans offer unlimited and unmetered mitigation of distributed denial-of-service (DDoS) attacks, regardless of the size of attack at no extra cost. No customer should be penalized for spikes in network traffic associated with a distributed attack. Cloudflare DDoS protection ensures all Internet properties stay online, while infrastructure costs remain predictable.

Flat price DDOS protection

Mitigating Historic Attacks

Cloudflare engineers have witnessed some of the largest attacks in history unfold. Learn how we handled them in our developer blog.

400Gbps: Winter of Whopping Layer 3 DDoS Attacks

In the winter of 2016, Cloudflare mitigated its largest Layer 3 distributed attack to date. Not only was it stopped, but accurately measured and analyzed. Read more

Details Behind a 400Gbps NTP Amplification Attack

Distributed attacks take all shapes and forms. In this 400Gbps amplification attack, an attacker used 4,529 NTP servers to amplify an attack from a mere 87 Mbps source server.
Read more

The DDoS Attack That Almost Broke the Internet

Cloudflare has been fighting historic distributed attacks for over 7 years. In 2013, the 120 Gbs on Spamhaus was considered a big attack, and Cloudflare was able to keep their website online. Read more

More Cloudflare Security Solutions

prevent customer data breach diagram

Prevent Customer Data Breach

Prevent attackers from compromising sensitive customer data, such as user credentials, credit card information, and other personally identifiable information.

block malicious bot abuse diagram

Block Malicious Bot Abuse

Block abusive bots from damaging Internet properties through content scraping, fraudulent checkout, and account takeover.

Trusted by over 6,000,000 customers

Cloudflare Features

Cloudflare protects all Internet assets on its network, while eliminating security-related performance trade-offs through its suite of performance improving functionalities.

Performance

Cloudflare Performance Services help to speed up Internet assets, resulting in better SEO, reduced customer churn, increased conversions, and improved visitor experiences.

  • Content Delivery Network (CDN)

    With 117 data centers across 57 countries, Cloudflare’s Anycast CDN caches static content at the edge, reducing latency by delivering assets as close as geographically possible to visitors.
  • Website Optimizations

    Cloudflare includes a suite of web optimizations to improve the performance of Internet assets. Optimizations include the latest web standards, such as HTTP/2 and TLS 1.3, as well as proprietary enhancements for images and mobile device visitors.
  • DNS

    Cloudflare is the fastest managed DNS provider in the world, routing over 38% of all global DNS traffic. Cloudflare has multiple ways to achieve maximum performance for online assets.
  • Load Balancing

    Cloudflare Load Balancing provides load balancing, geo-steering, monitoring and failover for single, hybrid-cloud, and multi-cloud environments, enhancing performance and availability.
  • Argo Smart Routing

    Argo Smart Routing improves Internet asset performance on average of 35% by routing visitors through the least congested and most reliable paths on Cloudflare's private network.
  • Railgun

    Railgun compresses previously uncacheable web objects up to 99.6% by leveraging techniques similar to those used in the compression of high-quality video. This results in an average 200% additional performance increase.

Security

Cloudflare Security Services help to reduce the risk of losing customers, revenues, and trustworthiness of brand by protecting against DDoS attacks, abusive bots, and data compromise.

  • Anycast Network

    With 117 data centers across 57 countries and 10 Tbps of capacity, Cloudflare’s Anycast network absorbs distributed attack traffic by dispersing it geographically, while keeping Internet properties available and performant.
  • DNSSEC

    DNSSEC is the Internet’s non-spoofable caller ID. It guarantees a web application’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden “man-in-the-middle” attacker.
  • Web Application Firewall (WAF)

    Cloudflare’s enterprise-grade web application firewall (WAF) detects and block common application layer vulnerabilities at the network edge, utilising the OWASP Top 10, application-specific and custom rulesets.
  • Rate Limiting

    Rate Limiting protects critical resources by providing fine-grained control to block or qualify visitors with suspicious request rates.
  • SSL / TLS

    Transport Security Layer (TLS) encryption enables HTTPS connections between visitors and origin server(s), preventing man-in-the-middle attacks, packet sniffing, the display of web browser trust warnings, and more.
  • Secure Registrar

    Cloudflare is an ICANN accredited registrar, protecting organizations from domain hijacking with high-touch, online and offline verification for any changes to a registrar account.
  • Orbit

    Cloudflare Orbit solves security-related issues for Internet of Things devices at the network level.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /month per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Unmetered Mitigation of DDoS
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /month per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes everything in Free, and:
  • Web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /month per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Learn More

The Business Plan includes everything in Pro, and:
  • Web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to Modern TLS Only mode and WAF
  • Bypass Cache on Cookie
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized email support
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Learn More

The Enterprise Plan everything in Business, and:
  • 24/7/365 enterprise-grade phone, email, and chat support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Enterprise-grade DDoS protection with network prioritization
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to Raw Logs
  • Access to Access to account Audit Logs
  • Dedicated solution and customer success engineers
  • Access to China CDN data centers (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Mitigating Historic Attacks

Since Cloudflare serves as a proxy for all of your network traffic, we can protect you from any kind of distributed denial-of-service attack, including all of the following:

Layer 3/4

Most attacks target the transport and network layers of a communications system. These layers are represented as layers 3 and 4 of the OSI model. The so called “transport” layer of the network stack specifies the protocol (e.g., TCP or UDP) by which two hosts on a network communicate with one another. Attacks directed at layers 3 and 4 are designed to flood a network interface with attack traffic in order to overwhelm its resources and deny it the ability to respond to legitimate traffic. More specifically, attacks of this nature aim to saturate the capacity of a network switch, or overwhelm a server’s network card or its CPU’s ability to handle attack traffic.

Layer 3 and 4 attacks are difficult—if not impossible—to mitigate with an on-premise solution. If an attacker can send more traffic than a network link can handle, no amount of additional hardware resources will help to mitigate such an attack. For example, if you have a router with a 10Gbps port and an attacker sends you 11Gbps of attack traffic, no amount of intelligent software or hardware will allow you to stop the attack if the network link is completely saturated.

Very large layer 3/4 attacks nearly always originate from a number of sources. These many sources each send attack traffic to a single Internet location creating a tidal wave that overwhelms a target’s resources. In this sense, the attack is distributed. The sources of attack traffic can be a group of individuals working together, a botnet of compromised PCs, a botnet of compromised servers, misconfigured DNS resolvers or even home Internet routers with weak passwords.

Because an attacker launching a layer 3/4 attack doesn’t care about receiving a response to the requests they send, the packets that make up the attack do not have to be accurate or correctly formatted. Attackers will regularly spoof all information in the attack packets, including the source IP, making it look as if the attack is coming from a virtually infinite number of sources. As packet data can be fully randomized, even techniques such as upstream IP filtering become virtually useless.

With Cloudflare, all attack traffic that would otherwise directly hit your server infrastructure is automatically routed to Cloudflare’s global Anycast network of data centers. Once attack traffic is shifted, we are able to leverage the significant global capacity of our network, as well as racks-upon-racks of server infrastructure, to absorb the floods of attack traffic at our network edge. This means that Cloudflare is able to prevent even a single packet of attack traffic from a traditional layer 3/4 attack from ever reaching a site protected by Cloudflare.

DNS Amplification Attacks

DNS amplification attacks, one form of DRDoS, are on the rise and have become the largest source of Layer 3/4 attacks. Cloudflare routinely mitigates attacks that exceed 100Gpbs, and recently protected a customer from an attack that exceeded 300Gbps—an attack the New York Times deemed the “largest publicly announced DDoS attack in the history of the Internet.”

In a DNS reflection attack the attacker sends a request for a large DNS zone file—with the source IP address spoofed as the IP address of the intended victim—to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the IP address of the intended victim. The attackers’ requests themselves are only a fraction of the size of the responses, allowing the attacker to amplify their attack to many times the size of the bandwidth resources they themselves control.

DNS Reflection Attack Without Cloudflare

An attacker gathers resources, like botnets or unsecured DNS recursors, and imitates the target’s IP address. The resources then send a flood of replies to the target, knocking it offline.

Unprotected DNS reflection attack

DNS Reflection Attack With Cloudflare

An attacker gathers resources, like botnets or unsecured DNS recursors, and imitates the target’s IP address. The resources then send a flood of replies to the target, but they are blocked regionally by Cloudflare’s data centers. Legitimate traffic can still access the web property.

DNS reflection attack protection

There are two criterion for an amplification attack: 1.) a query can be sent with a spoofed source address (e.g., via a protocol like ICMP or UDP that does not require a handshake); and 2.) the response to the query is significantly larger than the query itself. DNS is a core, ubiquitous Internet platform that meets these criteria, and therefore has become the largest source of amplification attacks.

DNS queries are typically transmitted over UDP, meaning that, like ICMP queries used in a SMURF attack (described below), they are fire-and-forget. As a result, the source attribute of a DNS query can be spoofed and the receiver has no way of determining its veracity before responding. DNS is also capable of generating a much larger response than query. For example, you can send the following (tiny) query (where x.x.x.x is the IP of an open DNS resolver):

dig ANY isc.org @x.x.x.x +edns=0

And get back the following gigantic response:

; <<>> DiG 9.7.3 <<>> ANY isc.org @x.x.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER <<- opcode: QUERY, status: NOERROR, id: 5147
;; flags: qr rd ra; QUERY: 1, ANSWER: 27, AUTHORITY: 4, ADDITIONAL: 5
;; QUESTION SECTION:
;isc.org. IN ANY
;; ANSWER SECTION:
isc.org. 4084 IN SOA ns-int.isc.org. hostmaster.isc.org. 2012102700 7200 3600 24796800 3600
isc.org. 4084 IN A 149.20.64.42
isc.org. 4084 IN MX 10 mx.pao1.isc.org.
isc.org. 4084 IN MX 10 mx.ams1.isc.org.
isc.org. 4084 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org. 4084 IN TXT "$Id: isc.org,v 1.1724 2012-10-23 00:36:09 bind Exp $"
isc.org. 4084 IN AAAA 2001:4f8:0:2::d
isc.org. 4084 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org.
isc.org. 484 IN NSEC _kerberos.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF
isc.org. 4084 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
isc.org. 4084 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd
isc.org. 4084 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org. 484 IN RRSIG NS 5 2 7200 20121125230752 20121026230752 4442 isc.org. oFeNy69Pn+/JnnltGPUZQnYzo1YGglMhS/SZKnlgyMbz+tT2r/2v+X1j AkUl9GRW9JAZU+x0oEj5oNAkRiQqK+D6DC+PGdM2/JHa0X41LnMIE2NX UHDAKMmbqk529fUy3MvA/ZwR9FXurcfYQ5fnpEEaawNS0bKxomw48dcp Aco=
isc.org. 484 IN RRSIG SOA 5 2 7200 20121125230752 20121026230752 4442 isc.org. S+DLHzE/8WQbnSl70geMYoKvGlIuKARVlxmssce+MX6DO/J1xdK9xGac XCuAhRpTMKElKq2dIhKp8vnS2e+JTZLrGl4q/bnrrmhQ9eBS7IFmrQ6s 0cKEEyuijumOPlKCCN9QX7ds4siiTIrEOGhCaamEgRJqVxqCsg1dBUrR hKk=
isc.org. 484 IN RRSIG MX 5 2 7200 20121125230752 20121026230752 4442 isc.org. VFqFWRPyulIT8VsIdXKMpMRJTYpdggoGgOjKJzKJs/6ZrxmbJtmAxgEu /rkwD6Q9JwsUCepNC74EYxzXFvDaNnKp/Qdmt2139h/xoZsw0JVA4Z+b zNQ3kNiDjdV6zl6ELtCVDqj3SiWDZhYB/CR9pNno1FAF2joIjYSwiwbS Lcw=
isc.org. 484 IN RRSIG TXT 5 2 7200 20121125230752 20121026230752 4442 isc.org. Ojj8YCZf3jYL9eO8w4Tl9HjWKP3CKXQRFed8s9xeh5TR3KI3tQTKsSeI JRQaCXkADiRwHt0j7VaJ3xUHa5LCkzetcVgJNPmhovVa1w87Hz4DU6q9 k9bbshvbYtxOF8xny/FCiR5c6NVeLmvvu4xeOqSwIpoo2zvIEfFP9deR UhA=
isc.org. 484 IN RRSIG AAAA 5 2 7200 20121125230752 20121026230752 4442 isc.org. hutAcro0NBMvKU/m+2lF8sgIYyIVWORTp/utIn8KsF1WOwwM2QMGa5C9 /rH/ZQBQgN46ZMmiEm4LxH6mtaKxMsBGZwgzUEdfsvVtr+fS5NUoA1rF wg92eBbInNdCvT0if8m1Sldx5/hSqKn8EAscKfg5BMQp5YDFsllsTauA 8Y4=
isc.org. 484 IN RRSIG NAPTR 5 2 7200 20121125230752 20121026230752 4442 isc.org. ZD14qEHR7jVXn5uJUn6XR9Lvt5Pa7YTEW94hNAn9Lm3Tlnkg11AeZiOU 3woQ1pg+esCQepKCiBlplPLcag3LHlQ19OdACrHGUzzM+rnHY50Rn/H4 XQTqUWHBF2Cs0CvfqRxLvAl5AY6P2bb/iUQ6hV8Go0OFvmMEkJOnxPPw 5i4=
isc.org. 484 IN RRSIG NSEC 5 2 3600 20121125230752 20121026230752 4442 isc.org. rY1hqZAryM045vv3bMY0wgJhxHJQofkXLeRLk20LaU1mVTyu7uair7jb MwDVCVhxF7gfRdgu8x7LPSvJKUl6sn731Y80CnGwszXBp6tVpgw6oOcr Pi0rsnzC6lIarXLwNBFmLZg2Aza6SSirzOPObnmK6PLQCdmaVAPrVJQs FHY=
isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 4442 isc.org. i0S2MFqvHB3wOhv2IPozE/IQABM/eDDCV2D7dJ3AuOwi1A3sbYQ29XUd BK82+mxxsET2U6hv64crpbGTNJP3OsMxNOAFA0QYphoMnt0jg3OYg+AC L2j92kx8ZdEhxKiE6pm+cFVBHLLLmXGKLDaVnffLv1GQIl5YrIyy4jiw h0A=
isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 12892 isc.org. j1kgWw+wFFw01E2z2kXq+biTG1rrnG1XoP17pIOToZHElgpy7F6kEgyj fN6e2C+gvXxOAABQ+qr76o+P+ZUHrLUEI0ewtC3v4HziMEl0Z2/NE0MH qAEdmEemezKn9O1EAOC7gZ4nU5psmuYlqxcCkUDbW0qhLd+u/8+d6L1S nlrD/vEi4R1SLl2bD5VBtaxczOz+2BEQLveUt/UusS1qhYcFjdCYbHqF JGQziTJv9ssbEDHT7COc05gG+A1Av5tNN5ag7QHWa0VE+Ux0nH7JUy0N ch1kVecPbXJVHRF97CEH5wCDEgcFKAyyhaXXh02fqBGfON8R5mIcgO/F DRdXjA==
isc.org. 484 IN RRSIG SPF 5 2 7200 20121125230752 20121026230752 4442 isc.org. IB/bo9HPjr6aZqPRkzf9bXyK8TpBFj3HNQloqhrguMSBfcMfmJqHxKyD ZoLKZkQk9kPeztau6hj2YnyBoTd0zIVJ5fVSqJPuNqxwm2h9HMs140r3 9HmbnkO7Fe+Lu5AD0s6+E9qayi3wOOwunBgUkkFsC8BjiiGrRKcY8GhC kak=
isc.org. 484 IN RRSIG A 5 2 7200 20121125230752 20121026230752 4442 isc.org. ViS+qg95DibkkZ5kbL8vCBpRUqI2/M9UwthPVCXl8ciglLftiMC9WUzq Ul3FBbri5CKD/YNXqyvjxyvmZfkQLDUmffjDB+ZGqBxSpG8j1fDwK6n1 hWbKf7QSe4LuJZyEgXFEkP16CmVyZCTITUh2TNDmRgsoxrvrOqOePWhp 8+E=
isc.org. 4084 IN NS ns.isc.afilias-nst.info.
isc.org. 4084 IN NS ams.sns-pb.isc.org.
isc.org. 4084 IN NS ord.sns-pb.isc.org.
isc.org. 4084 IN NS sfba.sns-pb.isc.org.
;; AUTHORITY SECTION:
isc.org. 4084 IN NS ns.isc.afilias-nst.info.
isc.org. 4084 IN NS ams.sns-pb.isc.org.
isc.org. 4084 IN NS ord.sns-pb.isc.org.
isc.org. 4084 IN NS sfba.sns-pb.isc.org.
;; ADDITIONAL SECTION:
mx.ams1.isc.org. 484 IN A 199.6.1.65
mx.ams1.isc.org. 484 IN AAAA 2001:500:60::65
mx.pao1.isc.org. 484 IN A 149.20.64.53
mx.pao1.isc.org. 484 IN AAAA 2001:4f8:0:2::2b
_sip._udp.isc.org. 4084 IN SRV 0 1 5060 asterisk.isc.org.
;; Query time: 176 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Tue Oct 30 01:14:32 2012
;; MSG SIZE rcvd: 3223

That’s a 64 byte query that resulted in a 3,223 byte response. In other words, an attacker is able to achieve a 50x amplification over whatever traffic they can initiate to an open DNS resolver.

Cloudflare’s “Anycast” network was specifically designed to stop massive layer 3/4 attacks. By using Anycast, we are able to announce the same IP addresses from each of our 117 worldwide data centers. The network itself load balances requests to the nearest facility. Under normal circumstances this helps us ensure that your site’s visitors are automatically routed to the nearest data center on our network to ensure the best performance. When there is an attack, Anycast serves to effectively scatter and dilute attack traffic across our entire network of datacenters. Because every data center announces the same IP address for any Cloudflare customer, traffic cannot be directed to any one location. Instead of the attack being many-to-one, it becomes many-to-many with no single point on the network a single point of failure.

Layer 7 Attacks

A new breed of attacks target Layer 7 of the OSI model, the “application” layer. These attacks focus on specific characteristics of web applications that create bottlenecks. For example, the so-called Slow Read attack sends packets slowly across multiple connections. Because Apache opens a new thread for each connection, and since connections are maintained as long as there is traffic being sent, an attacker can overwhelm a web server by exhausting its thread pool relatively quickly.

Cloudflare has protections in place against many of these attacks, and in real world experiences we generally reduce HTTP attack traffic by 90%. For most attacks, and for most of our customers, this is enough to keep them online. However, the 10% of traffic that does get through traditional protections can still be overwhelming to customers with limited resources or in the face of very large attacks. In this case, Cloudflare offers a security setting called “I’m Under Attack” mode (IUAM).

IUAM is a security level you can set for your site when you’re under attack. When IUAM is turned on, Cloudflare will add an additional layer of protections to stop malicious HTTP traffic from being passed to your server. While a number of additional checks are performed in the background, an interstitial page is presented to your site’s visitors for 5 seconds while the checks are completed. Think of it as a challenge where the tests are automatic and visitors never need to fill in a CAPTCHA.

Layer 7 attack protection

After verified as legitimate by the automated tests, visitors are able to browse your site unencumbered. JavaScript and cookies are required for the tests, and to record the fact that the tests were correctly passed. The page which your visitors see when in IUAM can be fully customized to reflect your branding. I’m Under Attack mode does not block search engine crawlers or your existing Cloudflare whitelist.

SMURF Attacks

One of the first amplification attacks was known as a SMURF attack. In a SMURF attack an attacker sends ICMP requests (i.e., ping requests) to a network’s broadcast address (i.e., X.X.X.255) announced from a router configured to relay ICMP to all devices behind the router. The attacker then spoofs the source of the ICMP request to be the IP address of the intended victim. Because ICMP does not include a handshake, the destination has no means of verifying if the source IP is legitimate. The router receives the request and passes it on to all the devices that sit behind it. Each of these devices then respond back to the ping. The attacker is able to amplify the attack by a multiple equal to the number of devices behind the router (i.e., if you have 5 devices behind the router then the attacker is able to amplify the attack 5x, see the diagram below).

DNS Smurf attack

SMURF attacks are largely a thing of the past. For the most part, network operators have configured their routers to disable the relay of ICMP requests sent to a network’s broadcast address.