МИ ПРАЦЮЄМО ДЛЯ УКРАЇНИ
Input data
Progress of work
So, after the client’s request, we immediately checked the website and found that it was loading endlessly and sometimes wouldn’t open at all. Subsequently, the client received an email from the hosting provider notifying them of a temporary access restriction due to an excessive number of requests. This was the first alarming signal.
Diagnosis: Identifying a DDoS Attack
We immediately analyzed the situation. Access to the server logs was difficult, but we managed to get some data through the hosting control panel. This is what we found:
- Anomalous number of requests: Under normal conditions, the website had 100-200 unique visitors per hour. At the time of the attack, the number of requests reached over 1000 requests per second.
- Distributed nature: The requests came from thousands of different IP addresses worldwide. This ruled out the possibility of blocking one or a few addresses and confirmed that it was a DDoS attack.
- Attack type: Most requests were directed to static pages, which indicated an HTTP flood (overloading the server with simple GET/POST requests). This is a simple but effective method of DDoS attack that does not require much power from the attackers.
The hosting capacity purchased by the client was simply not enough to handle such a load. As a result, to protect their servers, the hosting provider was forced to limit access to the website, which led to its complete downtime.
Solution Implementation: Phased Deployment of Cloudflare
To solve the problem, we chose Cloudflare as the main protection tool. This service acts as an intermediate layer between the user and the server, allowing malicious traffic to be filtered out before it even reaches the hosting.
Step 1: Changing DNS records. We changed the domain’s NS records (Name Server) to those provided by Cloudflare. This redirects all traffic through their global network. At this stage, the client’s site remained inaccessible, but we were already laying the groundwork for protection.
Step 2: Configuring basic DDoS protection. After changing the DNS records, we activated the «I’m Under Attack Mode» in Cloudflare. This is a temporary but powerful solution that includes additional checks for all visitors (e.g., showing a CAPTCHA or a JavaScript check) to filter out bots.
Step 3: Implementing Web Application Firewall (WAF) rules. We created special Web Application Firewall (WAF) rules that blocked requests matching the characteristic patterns of a DDoS attack. For example, we set a limit on the number of requests from a single IP address to 1 request per 60 seconds. This effectively stopped the flood without harming legitimate users.
Step 4: Optimization and adaptation. After the DDoS attack was repelled, we turned off the «I’m Under Attack» mode and moved to a more flexible configuration. We set the “Security Level” to “High,” which allowed Cloudflare to automatically block suspicious visitors based on their behavior and history. If Cloudflare notices an anomalous surge in traffic, it automatically activates additional checks, protecting the site from new attacks.
Result obtained 
