Find us on social media

Client area
DDoSAnti-DDoSCloudflare6 min read

Protect your server against DDoS attacks

DDoS attack types, Baires Host Anti-DDoS protection, Cloudflare setup and Nginx rate limiting.

What is a DDoS attack?

A Distributed Denial of Service (DDoS) attack aims to overwhelm your server with malicious traffic. There are three main types:

  • Volumetric: Flood bandwidth (UDP flood, DNS amplification)
  • Protocol: Exploit layer 3/4 weaknesses (SYN flood, Ping of Death)
  • Application: Attack layer 7 with massive legitimate-looking requests (HTTP flood)

Baires Host Anti-DDoS Protection

All Baires Host servers include network-layer Anti-DDoS protection at no extra cost:

  • Filters malicious traffic before it reaches your server
  • Mitigates volumetric attacks up to 1 Tbps
  • Activates automatically when anomalous patterns are detected
  • Requires no configuration on your part

Configure Cloudflare as an additional layer

Step 1: Add your domain

  1. Create an account at cloudflare.com
  2. Add your domain and change nameservers
  3. Enable the proxy (orange cloud) on DNS records

Step 2: Security rules

  • Go to Security → WAF and create rules to block suspicious countries
  • Enable Bot Fight Mode in Security → Bots
  • Set Security Level to "High"

Step 3: Under Attack Mode (emergency)

If under active attack, enable I'm Under Attack Mode from Security → Settings.

Rate limiting with Nginx

nginx
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=3r/m;

server {
    location / {
        limit_req zone=general burst=20 nodelay;
    }
    location /wp-login.php {
        limit_req zone=login burst=3 nodelay;
    }
}

Basic iptables rules

bash
# Limit new connections per IP
sudo iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP

# Limit ICMP
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 4 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# Drop invalid packets
sudo iptables -A INPUT -m state --state INVALID -j DROP

# SYN flood protection
sudo iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT

Persist rules:

bash
sudo apt install -y iptables-persistent
sudo netfilter-persistent save

Recommendations

  • Keep Cloudflare proxy active to hide your real IP
  • Never expose the direct server IP in DNS records without proxy
  • Set up Cloudflare alerts to detect traffic spikes
  • Combine Baires Host protection + Cloudflare + rate limiting for defense in depth
  • If you suffer a sustained attack, contact Baires Host support
Was this guide helpful?
← Back to Security