Curated Skills
by lstudlo

cloudflare

references/ddos/patterns.md

.md 175 lines
Back to Skill Download File
Content 
# DDoS Protection Patterns

## Allowlist Trusted IPs

```typescript
const config = {
  description: "Allowlist trusted IPs",
  rules: [{
    expression: "ip.src in { 203.0.113.0/24 192.0.2.1 }",
    action: "execute",
    action_parameters: {
      id: managedRulesetId,
      overrides: { sensitivity_level: "eoff" },
    },
  }],
};

await client.accounts.rulesets.phases.entrypoint.update("ddos_l7", {
  account_id: accountId,
  ...config,
});
```

## Route-specific Sensitivity

```typescript
const config = {
  description: "Route-specific protection",
  rules: [
    {
      expression: "not http.request.uri.path matches \"^/api/\"",
      action: "execute",
      action_parameters: {
        id: managedRulesetId,
        overrides: { sensitivity_level: "default", action: "block" },
      },
    },
    {
      expression: "http.request.uri.path matches \"^/api/\"",
      action: "execute",
      action_parameters: {
        id: managedRulesetId,
        overrides: { sensitivity_level: "low", action: "managed_challenge" },
      },
    },
  ],
};
```

## Progressive Enhancement

```typescript
enum ProtectionLevel { MONITORING = "monitoring", LOW = "low", MEDIUM = "medium", HIGH = "high" }

const levelConfig = {
  [ProtectionLevel.MONITORING]: { action: "log", sensitivity: "eoff" },
  [ProtectionLevel.LOW]: { action: "managed_challenge", sensitivity: "low" },
  [ProtectionLevel.MEDIUM]: { action: "managed_challenge", sensitivity: "medium" },
  [ProtectionLevel.HIGH]: { action: "block", sensitivity: "default" },
} as const;

async function setProtectionLevel(zoneId: string, level: ProtectionLevel, rulesetId: string, client: Cloudflare) {
  const settings = levelConfig[level];
  return client.zones.rulesets.phases.entrypoint.update("ddos_l7", {
    zone_id: zoneId,
    rules: [{
      expression: "true",
      action: "execute",
      action_parameters: { id: rulesetId, overrides: { action: settings.action, sensitivity_level: settings.sensitivity } },
    }],
  });
}
```

## Dynamic Response to Attacks

```typescript
interface Env { CLOUDFLARE_API_TOKEN: string; ZONE_ID: string; KV: KVNamespace; }

export default {
  async fetch(request: Request, env: Env): Promise<Response> {
    if (request.url.includes("/attack-detected")) {
      const attackData = await request.json();
      await env.KV.put(`attack:${Date.now()}`, JSON.stringify(attackData), { expirationTtl: 86400 });
      const recentAttacks = await getRecentAttacks(env.KV);
      if (recentAttacks.length > 5) {
        await setProtectionLevel(env.ZONE_ID, ProtectionLevel.HIGH, managedRulesetId, client);
        return new Response("Protection increased");
      }
    }
    return new Response("OK");
  },
  async scheduled(event: ScheduledEvent, env: Env): Promise<void> {
    const recentAttacks = await getRecentAttacks(env.KV);
    if (recentAttacks.length === 0) await setProtectionLevel(env.ZONE_ID, ProtectionLevel.MEDIUM, managedRulesetId, client);
  },
};
```

## Multi-rule Tiered Protection (Enterprise Advanced)

```typescript
const config = {
  description: "Multi-tier DDoS protection",
  rules: [
    {
      expression: "not ip.src in $known_ips and not cf.bot_management.score gt 30",
      action: "execute",
      action_parameters: { id: managedRulesetId, overrides: { sensitivity_level: "default", action: "block" } },
    },
    {
      expression: "cf.bot_management.verified_bot",
      action: "execute",
      action_parameters: { id: managedRulesetId, overrides: { sensitivity_level: "medium", action: "managed_challenge" } },
    },
    {
      expression: "ip.src in $trusted_ips",
      action: "execute",
      action_parameters: { id: managedRulesetId, overrides: { sensitivity_level: "low" } },
    },
  ],
};
```

## Defense in Depth

Layered security stack: DDoS + WAF + Rate Limiting + Bot Management.

```typescript
// Layer 1: DDoS (volumetric attacks)
await client.zones.rulesets.phases.entrypoint.update("ddos_l7", {
  zone_id: zoneId,
  rules: [{ expression: "true", action: "execute", action_parameters: { id: ddosRulesetId, overrides: { sensitivity_level: "medium" } } }],
});

// Layer 2: WAF (exploit protection)
await client.zones.rulesets.phases.entrypoint.update("http_request_firewall_managed", {
  zone_id: zoneId,
  rules: [{ expression: "true", action: "execute", action_parameters: { id: wafRulesetId } }],
});

// Layer 3: Rate Limiting (abuse prevention)
await client.zones.rulesets.phases.entrypoint.update("http_ratelimit", {
  zone_id: zoneId,
  rules: [{ expression: "http.request.uri.path eq \"/api/login\"", action: "block", ratelimit: { characteristics: ["ip.src"], period: 60, requests_per_period: 5 } }],
});

// Layer 4: Bot Management (automation detection)
await client.zones.rulesets.phases.entrypoint.update("http_request_sbfm", {
  zone_id: zoneId,
  rules: [{ expression: "cf.bot_management.score lt 30", action: "managed_challenge" }],
});
```

## Cache Strategy for DDoS Mitigation

Exclude query strings from cache key to counter randomized query parameter attacks.

```typescript
const cacheRule = {
  expression: "http.request.uri.path matches \"^/api/\"",
  action: "set_cache_settings",
  action_parameters: {
    cache: true,
    cache_key: { ignore_query_strings_order: true, custom_key: { query_string: { exclude: { all: true } } } },
  },
};

await client.zones.rulesets.phases.entrypoint.update("http_request_cache_settings", { zone_id: zoneId, rules: [cacheRule] });
```

**Rationale**: Attackers randomize query strings (`?random=123456`) to bypass cache. Excluding query params ensures cache hits absorb attack traffic.

See [configuration.md](./configuration.md) for rule structure details.