Table of contents
Introduction
I host all of my websites on DigitalOcean Droplets and I also use Cloudflare as my CDN provider. One of the benefits of using Cloudflare is that it reduces the overall traffic to your user and also hides your actual server IP address behind their CDN.
My personal favorite Cloudflare feature is their free DDoS protection. It has saved my servers multiple times from different DDoS attacks. They have a cool API that you could use to enable and disable their DDoS protection easily.
I've decided to write a short bash script that would enable and disable this for your website automatically if needed!
You can take a look at the script here: https://github.com/apotitech/cloudflare-ddos-protection-main
Prerequisites
Before following this guide here, please set up your Cloudflare account and get your website ready. If you are not sure how to do that you can follow these steps here: Create a Cloudflare account and add a website.
Once you have your Cloudflare account, make sure to obtain the following information:
A Cloudflare account
Cloudflare API key
Cloudflare Zone ID
Another thing that you would need is a Linux server where you would be running the bash script on. I will be using DigitalOcean so if you wish you can use my referral link below to get $100 free credit and try it yourself as well:
Also, Make sure curl is installed on your server:
curl --version
If curl is not installed you need to run the following:
- For RedHat/CentOs:
yum install curl
- For Debian/Ubuntu
apt-get install curl
Features
The script monitors the CPU usage on your server and if the CPU usage gets high based on the number vCPU it would enable the Cloudflare DDoS protection automatically via the Cloudflare API.
The main features of the script are:
Checks the script CPU load on the server
In case of a CPU spike the script triggers an API call to Cloudflare and enables the DDoS protection feature for the specified zone
After the CPU load is back to normal the script would disable the "I'm under attack" option and set it back to normal
Setup
To download the script just run the following command:
wget https://raw.githubusercontent.com/bobbyiliev/cloudflare-ddos-protection/main/protection.sh
Open the script with your favorite text editor:
nano protection.sh
And update the following details with your Cloudflare details:
CF_CONE_ID=YOUR_CF_ZONE_ID
CF_EMAIL_ADDRESS=YOUR_CF_EMAIL_ADDRESS
CF_API_KEY=YOUR_CF_API_KEY
After that make the script executable:
chmod +x ~/protection.sh
And finally, set up 2 Cron jobs to run every 30 seconds. To edit your crontab run:
crontab -e
And add the following content:
* * * * * /path-to-the-script/cloudflare/protection.sh
* * * * * ( sleep 30 ; /path-to-the-script/cloudflare/protection.sh )
Note that you need to change the path to the script with the actual path where you've stored the script at.
Conclusion
This is quite a straightforward and budget solution, one of the downsides of the script is that if your server gets unresponsive due to an attack, the script might not be triggered at all.
A better approach would be to use a monitoring system like Nagios and based on the statistics from the monitoring system then you can trigger the script.
This is pretty much it, please test the script before adding the corn job. If you get any errors, please feel free to send me an email.
I hope that this helps!