DDoS attack protection setup for website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

DDoS attack protection setup for website

Medium

from 1 business day to 3 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

DDoS Protection Setup for Websites

DDoS (Distributed Denial of Service) — server overload with stream of requests from multiple sources until complete unavailability. Attacks happen at network (L3/L4: UDP flood, SYN flood) and application (L7: HTTP flood) levels. Latter harder to filter — requests look like legitimate traffic.

Protection Layers

Layer 1: CDN + Anycast (Cloudflare, AWS Shield) Traffic passes through distributed network of nodes. Attacker forced to overload hundreds of presence points worldwide — practically impossible task.

Layer 2: Rate limiting at Nginx/application level Restrict number of requests from single IP.

Layer 3: Anomalous traffic analysis and blocking Behavioral patterns, IP reputation, Challenge (CAPTCHA/JS challenge) for suspicious traffic.

Cloudflare — Basic Setup

Cloudflare Free/Pro automatically closes most L3/L4 attacks. For L7:

Security > DDoS > HTTP DDoS attack protection:
- Sensitivity: High
- Action: Block (after testing, start with Log)

Security > Settings:
- Security Level: Medium or High under attack
- Bot Fight Mode: ON
- Browser Integrity Check: ON

Under active attack: Security > Under Attack Mode — all visitors pass JS challenge.

Rate Limiting in Nginx

# Limit zones — in http block
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_conn_zone $binary_remote_addr zone=perip:10m;

server {
    # API — 30 requests per minute
    location /api/ {
        limit_req zone=api burst=10 nodelay;
        limit_req_status 429;
    }

    # Login form — 5 tries per minute
    location /login {
        limit_req zone=login burst=3 nodelay;
        limit_req_status 429;
    }

    # Maximum 20 concurrent connections from one IP
    limit_conn perip 20;
}

Rate Limiting in Application (Laravel)

// routes/api.php
Route::middleware('throttle:60,1')->group(function () {
    Route::get('/data', [DataController::class, 'index']);
});

// Custom limits with different rules for authorized
Route::middleware('throttle:api')->group(function () { ... });

// config/app.php or RouteServiceProvider
RateLimiter::for('api', function (Request $request) {
    return $request->user()
        ? Limit::perMinute(120)->by($request->user()->id)
        : Limit::perMinute(30)->by($request->ip());
});

SYN Flood at Linux Kernel Level

# /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3

# Apply
sysctl -p

Firewall: Connection Limiting via iptables/nftables

# Limit new TCP connections: no more than 20 per second from one IP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW \
  -m recent --set --name HTTP_FLOOD

iptables -A INPUT -p tcp --dport 80 -m state --state NEW \
  -m recent --update --seconds 10 --hitcount 200 \
  --name HTTP_FLOOD -j DROP

Fail2ban for HTTP Flood

# /etc/fail2ban/filter.d/nginx-req-limit.conf
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>

# /etc/fail2ban/jail.d/nginx.conf
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
logpath = /var/log/nginx/error.log
maxretry = 10
findtime = 60
bantime = 600

Geo-blocking

Under attack from specific regions — temporary block via Cloudflare or GeoIP in Nginx:

# MaxMind GeoIP2
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
    $geoip2_country_code country iso_code;
}

map $geoip2_country_code $blocked_country {
    default 0;
    CN 1;
    RU 0; # Cannot block own audience
}

if ($blocked_country = 1) { return 403; }

Monitoring and Alerts

Tools for anomalous traffic observation:

Grafana + Prometheus — RPS, 4xx/5xx, latency dashboards
GoAccess — real-time Nginx log analysis
Cloudflare Analytics — blocked request statistics
Alert on 90th percentile RPS exceed — signal to activate enhanced mode.

Implementation Timeline

Cloudflare connection + basic rules: 1 day
Nginx rate limiting + Fail2ban setup: 1 day
Monitoring setup: 1–2 days