Software Development

Web applications, mobile, e-commerce and custom software projects.

ReactNode.jsMobile

SEO & Optimization

Organic traffic growth, technical SEO, content strategy and analytics.

Technical SEOContentAnalytics

API & Integration

REST API, webhook infrastructure, payment and shipping integrations.

REST APIWebhookOAuth
View all services Get free consultation

Web Hosting

cPanel management panel, SSD storage, free SSL certificate

Get a Quote

VPS Server

NVMe SSD, full root access, DDoS protection included

Get a Quote
Popular

Dedicated Server

Fully dedicated physical server, unlimited traffic

Get a Quote

Domain & SSL

Domain registration, transfer and Wildcard SSL certificates

Get a Quote

Why KEYDAL?

  • 99.9% uptime guarantee
  • Istanbul data center
  • 24/7 support
  • Free migration service
Get a quote

Projelerimiz

kSvSecurity, kAI, kMusic ve daha fazlası.

About Us

Meet KEYDAL. Our vision, team and journey.

Contact

Tell us about your project, get a custom quote.
Contracts
Privacy Policy Terms of Service SLA Agreement Data Protection Notice Cookie Policy
01 Home
Software Development SEO & Optimization API & Integration
Web Hosting VPS Server Dedicated Server Domain & SSL
04 KEYDAL Projects 05 Tools 06 Blog
About Us Contact Contracts
Get a Quote
Blog / guvenlik

Multi-Layer DDoS Protection with Cloudflare and Nginx

guide 15 min read April 21, 2026
Founder of KEYDAL · Full-stack developer Updated: April 25, 2026

A DDoS (Distributed Denial of Service) attack floods a target with traffic from thousands of IPs in a botnet. The largest recorded attack in 2025 hit 3.8 Tbps — 500x what a single server can absorb. Effective protection is layered: CDN, WAF, network, application.

DDoS Attack Types

Related guides: How to get SSL certificate · OWASP Top 10 2026 · JWT security · SQL injection prevention · Password hashing guide

Volumetric (L3/L4) — Bandwidth Attacks

UDP flood, ICMP flood, SYN flood, DNS amplification — the attacker fills your bandwidth. At 100+ Gbps a single server is helpless; upstream filtering (ISP/CDN) is mandatory.

Protocol (L4) — Resource Exhaustion

SYN flood exhausts half-open TCP connections. Slowloris sends HTTP headers slowly to tie up connection slots. Nginx runs out of worker_connections and refuses new requests.

Application (L7) — The Hardest

HTTP flood — requests that look legitimate. An unthrottled /search endpoint that suddenly receives 1000 requests per second will crash the database. Firewalls cannot distinguish legit traffic; WAF and rate limits at the application layer are required.

Layer 1: DNS/CDN (Cloudflare, Fastly, Akamai)

The first line of defence — point DNS at a CDN and hide your server IP. The CDN acts as a proxy and filters L3/L4 floods at the edge. Even Cloudflare's free plan includes unlimited DDoS mitigation.

  • Cloudflare Proxy (orange cloud) must be on
  • The origin IP must not be publicly visible — watch subdomains like mail and API
  • "Under Attack Mode" — JS challenge during a suspected attack
  • Rate Limiting Rules — per URL
  • Bot Fight Mode — blocks scraping
Warning
Your origin IP can leak through subdomains (cpanel.example.com, mail.example.com). Proxy all DNS records through Cloudflare or restrict ports 80/443 at the firewall to Cloudflare IP ranges only.
# Allow only Cloudflare IPs
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    ufw allow from $ip to any port 443 proto tcp
done
ufw deny 443/tcp  # everything else is blocked

Layer 2: Nginx Rate Limiting

Covered in detail in the earlier Nginx article. Essentials: per-IP caps, endpoint-specific caps (login 2r/s, api 5r/s, global 15r/s) and connection limits.

limit_req_zone $binary_remote_addr zone=global:10m rate=15r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
    limit_conn addr 50;
    limit_req zone=global burst=30 nodelay;

    # Slowloris protection
    client_body_timeout 10s;
    client_header_timeout 10s;

    location /api/ {
        limit_req zone=api burst=10 nodelay;
        proxy_pass http://backend;
    }
}

Layer 3: Application Level

Use libraries such as express-rate-limit or Flask-Limiter to add endpoint- and user-level rate limits (after authentication). Protect heavy endpoints (report generation, mail sending) in particular.

const rateLimit = require('express-rate-limit');

// Global
app.use(rateLimit({ windowMs: 60000, max: 120 }));

// Sensitive
app.use('/login', rateLimit({
    windowMs: 900000, max: 5,
    message: 'Too many login attempts. Try again in 15 minutes.'
}));

// Per-user after auth
app.use('/api/export', rateLimit({
    windowMs: 3600000, max: 10,
    keyGenerator: req => req.user.id
}));

Layer 4: Fail2ban + iptables

Fail2ban reads logs and bans attackers; we covered it in its own article. For DDoS, set up custom jails that catch 4xx/5xx floods in the Nginx access log.

Layer 5: OS-Level Hardening

# /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.core.netdev_max_backlog = 5000
net.ipv4.ip_local_port_range = 10000 65535

# Apply
sudo sysctl -p

Monitoring and Alerting

Catching a DDoS early is critical. Build a real-time pipeline on the Nginx access log with GoAccess, Grafana Loki or Datadog, and watch these metrics:

  • Requests per second (5x baseline triggers an alert)
  • Unique IPs (10x baseline is suspicious)
  • 4xx/5xx ratio (above 30% is worth investigating)
  • TCP connection count
  • Bandwidth usage

Preparedness Plan

  • Write a runbook — what to do during an attack
  • Keep a Cloudflare API token ready to flip Under Attack Mode in 5 seconds
  • Have geo-block rules prepared for blocking specific countries if needed
  • Plan failover — backup datacenter or DNS records
  • Know your ISP contact for upstream null routing

Web Security and Application Defense

Modern web security uses defense-in-depth: TLS 1.3 and HSTS for encrypted transport, WAF (Web Application Firewall) against OWASP Top 10, BCrypt or Argon2id for password hashing, JWT tokens with proper signature verification (HMAC or RSA), CSRF tokens with SameSite cookies and Content Security Policy to mitigate XSS. Prepared statements prevent SQL injection, fail2ban or rate limiting blocks brute force, and DDoS protection via Cloudflare or anti-DDoS providers is essential. Vulnerability scanning (Burp Suite, OWASP ZAP) and regular security audits significantly reduce data leak and account takeover risks in production.

Conclusion

You do not "stop" a DDoS — you absorb it. The right architecture: Cloudflare absorbs brute force at the edge, Nginx rate limits catch legit-looking L7 traffic, and the application layer is the final line. Every layer must be independent; if one fails the others pick up. KEYDAL helps teams design exactly this kind of multi-layer defence.

Build a DDoS protection architecture

Cloudflare setup, Nginx hardening, monitoring and runbook design Contact us

Written by

Founder and principal engineer of KEYDAL. Serving enterprise clients in hosting, software development and SEO since 2026.

Related Articles

Readers of this article also read these

guvenlik 27 min

How to Check if a Link is Safe in 2026: URL Lookup, Phishing Detection and Website Safety

The 2026 guide to checking whether a link is safe: URL parsing, HTTPS/SSL inspection, WHOIS age, Google Safe Browsing, VirusTotal, urlscan.io, sandbox analysis and phishing indicators.
guvenlik 22 min

How to Get an SSL Certificate: Free vs Paid Options Explained

How and where to get an SSL/TLS certificate. Let's Encrypt, ZeroSSL, Sectigo and DigiCert compared. Installation with Certbot, acme.sh, cPanel and Plesk. CSR generation, Nginx TLS 1.3 config and A+ security.
guvenlik 11 min

Password Hashing: bcrypt, argon2id and scrypt Compared

Modern password hashing — bcrypt, argon2id and scrypt compared, salt, pepper, work factor tuning and Node.js / Python implementations.
WhatsApp