The latest articles on DEV Community by Zerlo.net (@zerlo). https://dev.to/zerlo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3873649%2F1a15c026-91f0-4b38-85e4-d9f9c1e05357.png https://dev.to/zerlo en Zerlo.net Sat, 11 Apr 2026 15:53:03 +0000 https://dev.to/zerlo/what-to-do-when-your-website-is-under-a-ddos-attack-3g6 https://dev.to/zerlo/what-to-do-when-your-website-is-under-a-ddos-attack-3g6 <p>A little while ago, <a href="https://zerlo.net/" rel="noopener noreferrer">Zerlo.net</a> was hit by a DDoS attack.</p> <p>At first, I assumed it was just a technical issue. But after checking our traffic and infrastructure, it became clear that this was not normal user activity. In this post, I’ll show how we identified the attack, how Cloudflare helped reduce the impact, and what actions are worth taking when your website suddenly starts collapsing under artificial load.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8mlfdlh2rhcxhpiuzwzs.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8mlfdlh2rhcxhpiuzwzs.jpg" alt="DDoS attack banner" width="800" height="391"></a></p> <h2> What is a DDoS attack? </h2> <p>A <strong>Distributed Denial of Service (DDoS)</strong> attack tries to make a website or service unavailable by overwhelming it with traffic from many different sources at the same time.</p> <p>In practice, this often means:</p> <ul> <li>huge spikes in requests</li> <li>abnormal load on the origin server</li> <li>suspicious user agents</li> <li>repeated hits on expensive endpoints like login pages, APIs, search, or forms</li> </ul> <p>There are different forms of DDoS:</p> <ul> <li> <strong>network-level attacks</strong> such as UDP or ICMP floods</li> <li> <strong>application-layer attacks (Layer 7)</strong> such as HTTP floods</li> </ul> <p>Layer 7 attacks are especially annoying because they can look more like “normal” traffic at first glance.</p> <h2> How do you recognize it? </h2> <p>A single metric is usually not enough.</p> <p>Typical warning signs are:</p> <ul> <li>sharply rising server load without a corresponding rise in real users</li> <li>many requests hitting expensive endpoints</li> <li>strange or empty user agents</li> <li>unexpected request peaks from unfamiliar ASNs or regions</li> <li>high CPU or I/O load even though you didn’t deploy anything new</li> </ul> <p>One of the biggest clues in our case was this:</p> <p>our own counter tracks <strong>human interactions through JavaScript</strong>, and those numbers were almost identical to the previous day — while the infrastructure load was massively higher.</p> <p>That mismatch is a huge red flag.</p> <h2> Our first practical test </h2> <p>The classic test was simple:</p> <p>run everything locally.</p> <p>If the application itself is broken, you usually see the problem locally as well.<br><br> In our case, local load was basically <strong>0%</strong>, while the public system was struggling hard.</p> <p>That was the moment it became obvious that the pressure was external.</p> <h2> What Cloudflare showed us </h2> <p>Once we checked Cloudflare, the pattern became much clearer.</p> <p>Useful places to look at:</p> <ul> <li><strong>Security Events / Security Analytics</strong></li> <li><strong>Traffic Analytics</strong></li> <li><strong>WAF activity</strong></li> <li><strong>Rate limiting and challenge data</strong></li> </ul> <p>In Cloudflare, you can break traffic down by:</p> <ul> <li>path</li> <li>country</li> <li>ASN</li> <li>method</li> <li>user agent</li> </ul> <p>That makes it much easier to distinguish real traffic from garbage.</p> <p>When we enabled <strong>Under Attack Mode</strong>, the average server load dropped to around <strong>5%</strong>. That was the clearest confirmation we needed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoqspcujookrfxi1wcao.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoqspcujookrfxi1wcao.jpg" alt="Cloudflare statistics showing abnormal traffic spike" width="800" height="324"></a></p> <h2> What Cloudflare is actually doing here </h2> <p>This is the simple version:</p> <p>Cloudflare sits in front of your origin and can challenge suspicious traffic before it ever reaches your infrastructure.</p> <p>That means:</p> <ul> <li>bots have to solve extra work</li> <li>cheap flood traffic becomes more expensive</li> <li>real users usually pass with minimal friction</li> <li>your backend gets breathing room immediately</li> </ul> <p>This does not “prevent DDoS forever”, but it buys time and drastically reduces the damage.</p> <h2> What should you do immediately? </h2> <p>You can’t stop people on the internet from sending packets to your system.</p> <p>So the goal is not “prevent everything forever”.</p> <p>The real goal is:</p> <p><strong>reduce the impact enough so that real users can still use the site.</strong></p> <h3> Short-term actions </h3> <ul> <li>enable <strong>Under Attack Mode</strong> </li> <li>challenge suspicious requests</li> <li>put <strong>rate limiting</strong> on sensitive paths</li> <li>protect forms and login-like endpoints</li> <li>increase caching where possible</li> <li>monitor security analytics closely</li> </ul> <h3> Good candidates for immediate protection </h3> <ul> <li><code>/api/</code></li> <li>form endpoints</li> <li>login pages</li> <li>search</li> <li>mail handlers</li> <li>expensive POST requests</li> <li>dynamic pages with heavy backend processing</li> </ul> <h2> What should you do long term? </h2> <p>Short-term mitigation is not enough.</p> <p>After the incident, hardening should include:</p> <ul> <li>proper <strong>WAF rules</strong> </li> <li> <strong>Managed Challenge</strong> for suspicious traffic</li> <li> <strong>Rate Limiting</strong> per IP and per path</li> <li>caching public pages aggressively</li> <li>bypassing cache only where needed</li> <li>protecting forms with <strong>Turnstile</strong> </li> <li>collecting and reviewing logs</li> <li>setting alerts for unusual spikes</li> <li>identifying “expensive” endpoints before the next attack</li> </ul> <h2> A practical rule approach </h2> <p>Here is a simple example of the type of logic that makes sense:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> txt (len(http.user_agent) = 0 or lower(http.user_agent) contains "python" or lower(http.user_agent) contains "curl" or lower(http.user_agent) contains "bot" or lower(http.user_agent) contains "crawler") =&gt; Action: Managed Challenge (http.request.method eq "POST" or starts_with(http.request.uri.path, "/api/") or http.request.uri.path contains "/sendMail.php") =&gt; Action: Managed Challenge # Rate Limiting example (http.request.method eq "POST" and starts_with(http.request.uri.path, "/api/")) Threshold: 10 requests in 10 seconds per IP Action: Challenge </code></pre> </div> webdev security cloudflarechallenge devops