When your sites are behind Cloudflare, DDoS protection still functions in cPFence, but with some limitations. Here's how it works and what to expect.
How DDoS Protection Is Triggered
cPFence’s IPDB module tracks concurrent connections per IP. DDoS protection is triggered when:
- An IP reaches 100+ concurrent connections
- The IP is temporarily blocked for 10 minutes on the first offense
- If the same IP hits the limit multiple times in one hour, it is permanently blocked
These actions are handled by the IPDB module, not the WAF. Once triggered, the enforcement is passed to the Layer 7 WAF for blocking.
How to View Active Connection Counts
To see the top IPs based on current concurrent connections (as seen by IPDB), run this command:
ss -Htn state established | awk '
match($4, /^\[?([0-9a-fA-F:.]+)\]?:/, m) {
ip = m[1]
cnt[ip]++
}
END {
for (ip in cnt)
printf "%-20s %5d\n", ip, cnt[ip]
}
' | sort -k2 -nr | head -20
Cloudflare-Specific Challenges
When using Cloudflare, your server only sees Cloudflare IPs by default. To improve detection:
- Adjust LiteSpeed to log the real visitor IPs in access logs.
- cPFence analyzes access logs every 5 minutes to identify abusive IPs.
While helpful, this method is not foolproof due to log parsing delays and masking by proxy headers.
For more on detecting DDos attacks , see:
Why cPFence Doesn't Apply Rate Limiting in WAF as Well?
While it’s technically possible to apply per-IP rate limiting directly inside ModSecurity (WAF), cPFence does not do this by design. This is because applying rate limiting at the WAF level introduces significant performance overhead.
The ModSecurity core team explicitly advises against heavy rate-limiting logic inside the WAF due to its negative impact on server performance and scalability.
For more information, see this discussion:
StackOverflow: Rate Limiting with ModSecurity
Need Further Assistance?
If you encounter any issues or need additional help, feel free to reach out to our support team via your client portal.