Responding to DDoS attacks

The CIS network automatically mitigates large DDoS attacks, but these attacks can still affect your application. All users should perform the following steps to better secure their application.

1. Make sure the ruleset_phase parameter (with ddos_l7) in the Ruleset api is set to the default settings (high sensitivity level and mitigation actions) for optimal DDoS activation.
2. Deploy custom rules and rate limiting rules to enforce a combined positive and negative security model. Reduce the traffic allowed to your website based on your known usage.
3. Make sure your origin is not exposed to the internet. Restrict access so that only CIS IP addresses can access your origin. As an extra security precaution, consider contacting your hosting provider and requesting new origin server IP addresses if they have been targeted directly in the past.
4. If you have Bot Management, consider using it in your custom rules.
5. Enable caching as much as possible to reduce the strain on your origin servers.
6. To help counter attack randomization, update your cache settings to exclude the query string as a cache key. When the query string is excluded as a cache key, CIS’ cache will take in unmitigated attack requests instead of forwarding them to the origin. The cache can be a useful mechanism as part of a multilayered security posture.