DDoS protection with PrivateFlare
You can reduce the strength of a DDoS attack and keep some of your resources running with a combination of PrivateFlare and CloudFlare services. Protection can be launched at the moment of attack, no preparation is required.
We will need
- The main domain that is parked on CloudFlare.
- PrivateFlare account at the minimum rate.
- Nearly 3-5 PrivateFlare nodes.
Step 0. Create a PrivateFlare account
Register yourself or contact our salespeople. For one attack on one domain, you won't even need a paid account. We recommend that you create and activate an account in advance so that it waits in the wings in an emergency.
Step 1. Prepare nodes
Get a VPS from the most quality and fast providers. Hetzner and Inferno are recommended. Ideally, take VPS in different locations. Use a plan with 4 GB of RAM or more.
You need to add 3-5 nodes. The process from preparation and addition is described in quick start guide. There are no subtleties of customization.
Step 2. Add a domain
Add a domain following the instructions in "Quick Start". Enter the address of your main server as the target IP. Don't enable certificate generation and switching to HTTPS.
After adding, go to the domain settings section and check all the configs:
- SSL certificate: disabled as unnecessary.
- Force redirect to HTTPS: mandatory disabled.
- Caching: select Default (optimal) or Force all (not recommended).
- Rate limit: empty or zero.
- Auto-minify: disabled to reduce load.
- Convert images to WebP: disabled to reduce load.
Step 3. Set up a domain in CloudFlare
Go to your domain's DNS section in CloudFlare.
- Remove all IPv6 (AAAA) domain records, they won't help you.
- Remove the existing domain A-records.
- Add a new A-record with the address of the first node. Make sure the node is added in proxy mode.
- Add another A-record with the same name and address of the second node, third node, and so on.
We will get automatic load distribution across multiple nodes.
Step 4. Fine-tuning CloudFlare
These settings will be useful to all sites under attack, even without PrivateFlare as a traffic divider.
- Section "DNS - Records". Check that all DNS records are routed through a proxy. Make sure you don't have an MX record that points to the main server and exposes its IP to the outside,
- Section "SSL/TLS - Overview". Select the encryption level as Flexible. So all requests to the site will go over the fast HTTP protocol without the need for heavy encryption. The use of Full is generally discouraged as redundant.
- Section "SSL/TLS - Edge certificates". Enable Always use HTTPS, this will rob attackers of the speed of simple HTTP connections and delay them on CloudFlare servers to generate certificates. Also enable Opportunistic Encryption, TLS 1.3 and Automatic HTTPS Rewrites.
- Section "Security - Settings". Select Security level as I'm under attack! and enable Browser Integrity Check.
- Section "Security - Bots". It's useful to enable the Bot fight mode for additional protection against simple attacks.
These measures will help you significantly reduce the load even at the level of CloudFlare filters. It doesn't make much sense to buy a paid solution from CloudFlare.
We have divided the traffic from the CloudFlare servers into several dampers, which will take on the role of additional caching servers and will be able to deliver much more content to visitors. When using static pages on sites, they will be delivered to users even if the site crashes.