LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Will CloudFlare Protect Your Shared Hosting Against a DDoS Attack? Nope!

CloudFlare is a popular CDN/DDoS mitigation service that is widely used in our community.  There is a free version that many hobbyists use, and of course you can pay for more services and better protection.

A common perception is that if you put CF in front of your website, you are immune to DDoS attacks.  That is true (within the limitations of CF’s capabilities) if you’re on a dedicated server.  But for a VPS and especially for shared hosting, the situation is quite different.

Let’s look at some pictures.

CloudFlare DDoS Mitigation for Shared Hosting Fail

Here’s a typical shared hosting setup.  Could be cPanel or it could be DirectAdmin.  There’s a server with dozens, perhaps hundreds or even thousands of unrelated domains being served.  Some of them are behind CF and some are not.  Visitors are either interacting directly with these sites (for example, example.com) or are going to CF.

If the site is 100% static, then CF has no need to talk to the server after its cache is initially populated.  But that’s rare these days.  Most sites have some interactive or dynamic content.

Now let us interrupt this happy scene by introducing a bad actor.

CloudFlare DDoS Mitigation for Shared Hosting Fail

Someone doesn’t like the content on example.com for whatever reason.  Could be political, religious, a competitor, or just someone who’s not very mature taking offense at everything.  He decides to launch a DDoS attack against that site.  It quickly becomes overwhelmed and stops responding.

But here’s the thing…

CloudFlare DDoS Mitigation for Shared Hosting Fail

His DDoS attack might swamp the entire shared hosting server, which means that all of the sites on that server stop responding.

CloudFlare DDoS Mitigation Shared Hosting Fail

Yes, CF is still up and working great, but once CF can’t talk to the server, none of the dynamic content will come through.  Users will get the “you’re viewing a cached copy” message (at best).  If your site is WordPress, a forum, etc. then users effectively can’t see it.  If you’ve got a shopping cart, you can’t do business.

In short, the problem isn’t that you attracted a DDoS attack.  It’s that someone else, who has no DDoS protection such as CloudFlare, did and they’re on the same server as you.

Does this affect VPS servers?  Yes, to some extent.  It’s possible to swamp a VPS host node.  However, there are not as many web sites usually, so the number of domains that might act as magnets for DDoS attacks is smaller.  It’s really not unusual to have several thousand sites on a shared hosting server, and you don’t typically see as many on a VPS server.  People use VPSes for things other than web servers, though some of these (e.g., game servers) can be DDoS magnets in and of themselves.

The Solution

The best solution is to go with either a dedicated server or a host who providers DDoS protection for their whole network.  With a dedicated server, you’re in much more control of your fate.  Or sign up for a provider who protects their entire network with DDoS protection.

Related LowEndTalk thread this week: How You Handle Dos & DDoS Attack?




  1. mk:

    thanks for the useful article. I bought shared hosting with Racknerd during a holiday special from an ad here a while back and just found this post which led me down a road where found that they posted about ddos protection on shared hosting, https://www.racknerd.com/shared-hosting. glad i read this article as I would have never checked on this since I use cloudflare without being aware of this. thanks.

    February 25, 2024 @ 7:49 pm | Reply
  2. Hi, an other solution it’s to force everyone to host the website Tru cf 😂😂😂and block from firewall outside connections and allow only cf ☔
    AS I DID 😎

    February 26, 2024 @ 3:07 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *