CloudFlare’s free and paid services can be used to improve the security, speed, and availability of a website in a variety of ways. In this tutorial, we will show you how to use CloudFlare’s free tier service to protect your web servers against ongoing HTTP-based DDoS attacks by enabling “I’m Under Attack Mode”.
Note: This tutorial will require the use of CloudFlare’s nameservers. You must also sign up for a CloudFlare account before continuing.
After logging in, you will be taken to the Get Started with CloudFlare page. Here, you must add your website to CloudFlare:
Enter the domain name that you want to use CloudFlare with and click the Begin Scan button. You should be taken to a page that looks like this:
This takes about a minute. When it is complete, click the Continue button.
The next page shows the results of the DNS record scan. Be sure that all of your existing DNS records are present, as these are the records that CloudFlare will use to resolve requests to your domain. In our example, we used cockroach.nyc as the domain:
Note that, for your A and CNAME records that point to your web server(s), the Status column should have an orange cloud with an arrow going through it. This indicates that the traffic will flow through CloudFlare’s reverse proxy before hitting your server(s).
Next, select your CloudFlare plan. In this tutorial, we will select the Free plan option. If you want to pay for a different plan because you want additional CloudFlare features, feel free to do so:
The next page will display a table of your domain’s current nameservers and what they should be changed to. Two of them should be changed to CloudFlare nameservers, and the remaining entries should be removed. Here is an example of what the page might look like:
To change your domain’s nameservers, log in to your domain registrar control panel and make the DNS changes that CloudFlare presented. For example, if you purchased your domain through a registrar like GoDaddy or NameCheap, you will need to log into appropriate registrar’s control panel and make the changes there.
When you are finished changing your nameservers, click the Continue button. It can take up to 24 hours for the nameservers to switch but it usually only takes several minutes.
Because updating nameservers takes an unpredictable amount of time, it is likely that you will see this page next:
The Pending status means that CloudFlare is waiting for the nameservers to update to the ones that it prescribed (e.g. olga.ns.cloudflare.com and rob.ns.cloudflare.com). If you changed your domain’s nameservers, all you have to do is wait and check back later for an Active status. If you click the Recheck Nameservers button or navigate to the CloudFlare dashboard, it will check if the nameservers have updated.
Once the nameservers update, your domain will be using CloudFlare’s DNS and you will see it has an Active status, like this:
This means that CloudFlare is acting as a reverse proxy to your website, and you have access to whichever features are available to the pricing tier that you signed up for. If you’re using the free tier, as we are in this tutorial, you will have access some of the features that can improve your site’s security, speed, and availability.
Before continuing, to get the most out of CloudFlare, you will want to follow this guide: Recommended First Steps for all CloudFlare users. This is important to ensure that CloudFlare will allow legitimate connections from services that you want to allow, and so that your web server logs will show the original visitor IP addresses (instead of CloudFlare’s reverse proxy IP addresses).
Once you’re all set up, let’s take a look at the I’m Under Attack Mode setting in the CloudFlare firewall.
By default, CloudFlare’s firewall security is set to Medium. This offers some protection against visitors who are rated as a moderate threat by presenting them with a challenge page before allowing them to continue to your site. However, if your site is the target of a DDoS attack, that may not be enough to keep your site operational. In this case, the I’m Under Attack Mode might be appropriate for you.
If you enable this mode, any visitor to your website will be presented with an interstitial page that performs some browser checks and delays the visitor for about 5 seconds before passing them to your server. It will look something like this:
If the checks pass, the visitor will be allowed through to your website. The combination of preventing and delaying malicious visitors from connecting to your site is often enough to keep it up and running, even during a DDoS attack.
Keep in mind that you only want to have I’m Under Attack Mode enabled when your site is the victim of a DDoS attack. Otherwise, it should be turned off so it does not delay normal users from accessing your website for no reason.
If you want enable I’m Under Attack Mode, the easiest way is to go to the CloudFlare Overview page (the default page) and select it from the Quick Actions menu:
The security settings will immediately switch to I’m Under Attack status. Now, any visitors to your site will be presented with the CloudFlare interstitial page that was described above.
As the I’m Under Attack Mode should only be used during DDoS emergencies, you should disable it if you aren’t under attack. To do so, go to the CloudFlare Overview page, and click the Disable button:
Then select the security level that you would like to switch to. The default and generally recommended, mode is Medium:
Your site should revert back to an Active status, and the DDoS protection page will be disabled.
Now that your website is using CloudFlare, you have another tool to easily protect it against HTTP-based DDoS attacks. There are also a variety of other tools that CloudFlare provides that you may be interested in setting up, like free SSL certificates. As such, it is recommended that you explore the options and see what is useful to you.