Fix Cloudflare DDoS Protection False Positives

Introduction

Cloudflare DDoS protection automatically mitigates volumetric and application-layer attacks. The system analyzes traffic patterns and applies rules to block malicious traffic. However, legitimate traffic spikes (flash sales, product launches, shared NAT users) can trigger false positives. Conversely, sophisticated attacks may evade detection. Understanding how to configure sensitivity, create exceptions, and verify protection ensures both security and availability.

Symptoms

Users seeing DDoS protection challenge page (1015 error)
Legitimate traffic surge blocked during marketing events
Challenge page looping or not completing
Users behind shared NAT/proxy all blocked
Attack traffic not being mitigated
Site slows or fails under attack despite Cloudflare
Origin server overwhelmed during supposed DDoS protection

Common Causes

DDoS sensitivity level too aggressive for traffic patterns
Legitimate traffic spike resembles attack pattern
Users behind corporate NAT triggering IP-based rules
Attack using sophisticated techniques evading detection
Attack targeting origin directly (bypassing Cloudflare)
Challenge page failing due to JavaScript or browser issues
Attack layer 7 (HTTP) vs layer 3/4 (network) requiring different handling

Step-by-Step Fix

1.Check DDoS attack status:

Navigate to: Cloudflare Dashboard > Security > DDoS

Look for: - Active attacks (red indicator) - Attack history - Mitigated requests - Traffic patterns

1.Review blocked traffic in Security Events:

Navigate to: Security > Events

Filter by: - Action: Block, Challenge - Source: DDoS - Time range: when issue occurred

1.Determine if traffic is legitimate or attack:

```bash # Check traffic sources: # - Are blocked IPs known users/customers? # - Geographic distribution normal for your audience? # - Request patterns match application usage? # - Timing correlates with marketing event/launch?

# Use Security Events > Request details to examine: # - User-Agent strings # - Request paths and patterns # - Timing and frequency ```

1.Adjust DDoS sensitivity level:

Navigate to: Security > DDoS > HTTP DDoS Attack Protection

Settings: - Sensitivity Level: High, Medium, Low, Essentially Off

``` # When experiencing false positives: # Change from High to Medium or Low # Lower sensitivity = more traffic allowed before blocking

# Trade-off: Lower sensitivity may let some attack traffic through ```

1.Create exception rules for legitimate sources:

Navigate to: Security > WAF > Custom Rules

Create skip rule: ``` # Skip DDoS rules for trusted IPs # Expression: (ip.src in {192.0.2.0/24})

# Or skip for known user patterns # Expression: (http.request.headers["user-agent"] contains "YourApp/") ```

1.Configure rate limiting as DDoS supplement:

Navigate to: Security > WAF > Rate Limiting Rules

``` # Create rate limit rules for: # - API endpoints: 200 req/min # - Login pages: 20 req/min # - Search functions: 100 req/min # - Static content: No limit needed

# This provides application-level DDoS protection ```

1.Enable advanced DDoS features (Business/Enterprise):

Navigate to: Security > DDoS

bash

# Advanced features:
# - Adaptive DDoS Protection: Learns normal traffic patterns
# - Attack Analytics: Detailed attack insights
# - Layer 3/4 DDoS Protection: Network-level attacks
# - Advanced TCP Protection: For non-HTTP services

1.Check origin exposure risk:

```bash # Verify origin IP not exposed # Check for: # - DNS records showing origin IP (grey cloud) # - Historical DNS revealing old IPs # - SSL certificate revealing hostname/IP # - Direct IP access in logs

# Search for exposed origin: dig yourdomain.com ANY curl -Iv https://YOUR_ORIGIN_IP/ ```

1.Protect origin from direct attacks:

```bash # Block direct access to origin iptables -I INPUT -p tcp --dport 80 ! -s CLOUDFLARE_IP -j DROP iptables -I INPUT -p tcp --dport 443 ! -s CLOUDFLARE_IP -j DROP

# Download Cloudflare IPs curl https://www.cloudflare.com/ips-v4 -o /tmp/cf-ips.txt while read ip; do iptables -I INPUT -s $ip -p tcp --dport 80 -j ACCEPT iptables -I INPUT -s $ip -p tcp --dport 443 -j ACCEPT done < /tmp/cf-ips.txt ```

1.Handle challenge page issues:

```bash # If users stuck on challenge page: # Check JavaScript is enabled in browser # Verify Cloudflare JavaScript challenge loads # Check for browser extensions blocking scripts

# Test challenge completion: curl -v https://yourdomain.com/ # Should see challenge page or pass through ```

1.Configure bot management:

Navigate to: Security > Bots

``` # Bot Fight Mode: Aggressive, may block good bots # Super Bot Fight Mode: Very aggressive # Bot Management: Granular control (Business+)

# For API traffic with legitimate automation: # - Whitelist known good bots # - Use Analytics to identify bot categories ```

1.Monitor during traffic events:

```bash # Before marketing events: # 1. Lower DDoS sensitivity temporarily # 2. Whitelist expected user sources # 3. Increase rate limit thresholds # 4. Monitor Security Events closely

# After event: # 1. Review blocked vs legitimate traffic # 2. Adjust settings based on patterns # 3. Document learnings for future events ```

Verification

After applying fixes:

1.Legitimate traffic surges don't trigger false blocks
2.Known user sources bypass DDoS rules via exceptions
3.Challenge page completes successfully for real users
4.Attack traffic is mitigated (check Security Events)
5.Origin server not overwhelmed during attacks
6.Traffic analytics show normal patterns with protection active

How to Fix Cloudflare DDoS Protection Issues

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Verification

Share this guide

More Cloudflare Troubleshooting Guides

Fix Cloudflare Zone Stuck in Pending Nameserver Update

Fix Cloudflare Proxied Service Failing on Unsupported Port

Fix Cloudflare HTTP/3 QUIC Protocol Not Working

Fix Cloudflare WebSocket Connection Failing Behind Proxy

Fix Cloudflare Waiting Room Still Blocking After Cutover

Fix Cloudflare Access Application Bound to Old Hostname