Preventing DDoS attacks without Cloudflare?

cloudflare only allows you to use custom ssl (like let’s encrypt) on the $200/month business plan, or make you pay monthly for dedicated cloudflare certificates when free ssl providers like let’s encrypt generate them for free.

another waf service that is free and gives let’s encrypt ssl is cloudbric (waf+ssl+cdn). from what i know it returns your original host IP, or if you change your A records, it’ll be masked by cloudbric’s IP.

ddos attacks aren’t always aiming to overwhelm and take your site offline but are often launched in combination with malware/trojan, so simply absorbing traffic is probably just going to give you a false sense of security. ddos is also conducted as multi-vector attacks, meaning that while load balancing deals well against layer 3 & 4 volumetric attacks, layer 7-focused attacks that are vastly harder to detect and consume low bandwidth likely go undetected by a service like cloudflare that’s more a cdn than a waf/security service.

@Icarus1

When it comes to DDoS, load balancing would be the best means to potentially mitigate or absorb the attack by means of distributing traffic over numerous servers (on your end, beyond CF). With a load balanced setup, the worst-case would be that the IP of the LB is exposed as internally, the LB should be routing traffic over private network IP’s that aren’t public, thus reducing exposure.

The public IP’s of the endpoints would then be access limited to only specific IP’s or IP ranges.

Much of what goes in to preventing a DDoS attack depends on you and how you have things setup as much as it does who you’re working with in an effort to prevent and mitigate the attack.

CloudFlare provides a much needed service, though it’s not a all-in-one solution. You can sign up for CloudFlare and run a poorly configured stack and downtime can still result in seconds after an attack begins. CloudFlare isn’t a magical mask by far, but it can be helpful.

That being said, I’m sure you’ve heard the saying give someone an inch and they’ll take a mile – it applies to DDoS. Give someone means to launch a successful attack on you at any given moment and they will. Whether it succeeds depends on how prepare you at for it. I’ve seem many providers and servers handle decent sized various-vector attacks with ease, while others suffer.

Attacks could come in various forms – NTP, UDP, DNS, TCP SYN+FIN+ACK, HTTP GET, etc. – it’s hard to prevent every single possible scenario, or predict which one someone is going to target. This falls back to where CloudFlare can help, but may not be able to prevent the entire effect.

As @hansen said, and it’s very true, You will always have some attack surface if you have something on the internet.

I used the following setup: Let’s Encrypt on my server. Strict SSL on Cloudflare Cloudflare-set SSL (Https) for all requests.

So…as the OP says, your origin IP is still unprotected. To offer some protection, I set up Cloudflare Authenticated Origin pull: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls

It still doesn’t shield you from DDoS, but it helps a bit.

Here’s a discussion I had on the Cloudflare blog: https://blog.cloudflare.com/ddos-ransom-an-offer-you-can-refuse/

How is it possible to resolve host IP, when you’re using CloudFlare? That’s the major use-case for using the service, is to hide host IP address. Of course, you can choose to use their DNS-only service, which will work like any other regular DNS service - meaning it’ll show host IP address.