DDoS · SECURITY & OPS
DDoS protection with Cloudflare: layer 3, 4, and 7 for SME web apps in 2026
Defend against volumetric and application-layer DDoS attacks with Cloudflare Free, Pro, or Business. As of May 2026 including AI-orchestrated attacks.
Researched & fact-checked by: DuneDive LLC · As of: 2026-05
What is DDoS protection?
A Distributed Denial of Service is an attack where thousands or millions of compromised devices simultaneously flood a web application with requests until it collapses. DDoS protection sits between the internet and your infrastructure, filters malicious traffic, and lets only legitimate requests through.
The threat comes in three layers. Volumetric attacks at layer 3 and 4 (network and transport) try to exhaust bandwidth or TCP connection tables - typical examples are UDP floods, SYN floods, and amplification attacks via DNS or NTP. Application-layer attacks at layer 7 target expensive HTTP endpoints and look superficially like normal traffic - HTTP flood, Slow Loris, and more recently AI-orchestrated attacks where LLM agents simulate realistic browser fingerprints and click paths.
Cloudflare has been the market standard for DDoS protection since 2010 and as of May 2026 operates a network of 330 points of presence with more than 380 Tbps capacity. The big advantage: your own hosting (Hetzner, Digital Ocean, AWS) never sees the attack, because Cloudflare holds the DNS record and all traffic flows through Cloudflare's edge network.
Why it matters more in 2026 than ever
Cloudflare's Q1 2026 report sets a new record: 17 million requests per second at peak in a hyper-volumetric layer-7 attack. The number of DDoS attacks rose 87 percent year over year. Drivers: cheap botnets-for-rent from USD 30 per hour, and new AI-orchestrated attacks where LLM agents dynamically dodge once simple rate-limiting rules engage.
For an SME that means in practice: a single motivated attacker with a Stripe account and a Telegram connection can take a Swiss law firm's or fiduciary's web presence offline for 24 to 48 hours. Damage: reputational loss, unanswered client requests, possibly contractual penalties under SLA commitments.
For an e-commerce SME: an hour of downtime on the order platform quickly costs a day's profit. For a practice booking platform: missed appointments, frustrated patients.
The question is no longer if but when. And without an upstream edge network in place, the response time is a few hours of emergency setup during the running attack - a scenario nobody wants to experience.
How Cloudflare protection works
Cloudflare operates as a reverse proxy. Your domain's DNS A records no longer point at your origin server but at Cloudflare edge IPs. Requests hit Cloudflare first; Cloudflare checks, filters, caches, and forwards legitimate requests to the origin.
Layer 3/4 protection runs automatically and free on every plan. Cloudflare absorbs UDP and SYN floods through its anycast network without ever reaching your origin. This layer keeps working even when the web server is offline - as long as Cloudflare terminates traffic, the attack does not break through.
Layer 7 protection is plan-dependent. The Free tier runs standard DDoS mitigation and a basic Bot Fight Mode (captcha on suspicious traffic). Pro (USD 25/month) adds simple WAF rules, rate limiting up to 10,000 rps, and bot management with machine-learning classification. Business (USD 200/month) adds full Advanced WAF, mTLS for origin authentication, IP reputation lists, and custom WAF rules.
Cloudflare Tunnel is the pro tip: instead of keeping an open port on the origin server, a small daemon (cloudflared) builds an outbound connection to Cloudflare. The origin is no longer reachable from outside - no direct attack vector. Available on the Free tier. Thirty-minute setup, strongly recommended.
Bot management as of May 2026 is the key against AI attacks. Cloudflare uses browser fingerprinting, TLS fingerprinting (JA3, JA4), behavioural analysis, and a proprietary ML model that distinguishes AI agents from real browsers. Success rate (Cloudflare's own numbers) 98 percent, real-world about 90 to 95 percent.
Activate Cloudflare protection in 6 steps
- 01Add the domain to Cloudflare, move DNS to Cloudflare nameservers, set the proxy status to orange (cloud) for web records.
- 02Set TLS mode to Full (Strict) so the Cloudflare-to-origin connection is encrypted and certificate-validated.
- 03Set up Cloudflare Tunnel: install cloudflared on the origin, load the tunnel config, close the origin port (80, 443) externally.
- 04Activate WAF rules: enable OWASP Core Rule Set, Bot Fight Mode (Free) or Bot Management (Pro/Business).
- 05Configure rate limiting for critical endpoints: /api/login max 5/min per IP, /api/llm max 30/min per account.
- 06Add Page Rules or Configuration Rules for cache behaviour: aggressively cache static assets, never cache API endpoints.
When to activate Cloudflare
Cloudflare belongs in front of every publicly reachable Swiss SME web app. The Free tier already covers 95 percent of DDoS attacks on SMEs and costs nothing. There is rarely a good argument not to use Cloudflare.
Typical use cases: a law firm's marketing site (Free is enough). A fiduciary client portal with login (Pro recommended for rate limiting and bot management). An e-commerce platform with payment endpoints (Pro or Business). An online doctor booking platform (Pro). A self-hosted AI platform with public LLM endpoints (Business - LLM API endpoints are a favourite target for token-burn attacks).
For multi-site setups: one Pro or Business account covers multiple domains, which scales economically.
When Cloudflare does not fit
Three cases where Cloudflare is not the right answer.
First: strict FADP-compliant setups with data-localisation duty. Cloudflare is a US company and is subject to the US CLOUD Act. Cloudflare does offer Standard Contractual Clauses and a configurable EU region (Data Localization Suite add-on), but for highest-tier client data (FINMA, MedBG, BGFA) the setup is delicate. Alternatives: Bunny.net (EU-only, Slovakian company), Imperva (a US choice if US risk is already accepted).
Second: non-HTTP applications with custom protocols (SIP, MQTT, custom TCP). Cloudflare Spectrum can offer layer-4 protection for arbitrary TCP/UDP, but that is enterprise tier (from USD 1000 per month).
Third: real-time applications with hard latency budgets below 20 milliseconds (trading, online gaming). The Cloudflare hop adds 5 to 15 milliseconds depending on the origin location. Irrelevant for typical web apps, an argument for specialised real-time cases.
General pitfall: activate Cloudflare but leave the origin IP publicly reachable. Attackers scan Censys, Shodan, GitHub repos, and old DNS records and find the origin IP - the protection is bypassed. Solution: after activating Cloudflare, set iptables on the origin so only Cloudflare IPs can reach it. Or use Cloudflare Tunnel (no open port at all).
Trade-offs
STRENGTHS
- Layer 3/4 and basic layer 7 protection free of charge on the Free tier
- Pro tier at USD 25/month covers most SME needs including rate limiting and bot management
- Cloudflare Tunnel closes origin ports entirely (no direct attack vector)
- Global anycast edge with 380 Tbps capacity absorbs hyper-volumetric attacks
WEAKNESSES
- US vendor, CLOUD Act risk - delicate for highly confidential client data
- 5 to 15 ms added latency, critical for real-time applications
- Origin IP leak voids the protection if origin remains publicly reachable
- Bot management is not 100 percent; AI-orchestrated attacks partially get through
FAQ
Is Cloudflare Free enough for an SME?
For pure marketing sites usually yes. As soon as login, payment, or LLM-API endpoints are involved, Pro pays off for rate limiting and bot management. Empirical: a motivated attacker with a layer-7 script kit gets through Free on an unprotected /api/login endpoint because Free does not offer per-IP/per-endpoint rate limiting.
Is Cloudflare FADP-compliant for Swiss client data?
As a US company, Cloudflare is a third-country transfer (see drittlandtransfer-tia). Cloudflare offers Standard Contractual Clauses, appears on the FDPICs list of typical US sub-processors, and since 2023 offers the Data Localization Suite (Geo Key Manager) so TLS keys stay in the EU. For client data under professional secrecy (Art. 321 SCC), additional client-side pseudonymisation is required (data never in clear text through Cloudflare). For high confidentiality, prefer: Cloudflare only for the marketing site, the client portal separate without Cloudflare or with an EU alternative (Bunny.net).
What are AI-orchestrated DDoS attacks?
A class of attacks in which an LLM agent adapts strategy in real time. Example: the attacker launches an HTTP flood. Cloudflare Bot Management blocks with a captcha after a few seconds. The LLM agent detects this, switches user agents, throttles requests per second, simulates mouse movement, intercepts captcha-provider tokens, and routes them to the bots. Cloudflare measured the first fully automated examples in Q1 2026. Countermeasure: Bot Management with JA4 fingerprinting and behavioural analysis - LLM-agent behaviour is still not identical to real browsers.
What are the alternatives to Cloudflare?
Bunny.net from Slovakia is the EU-oriented option with attractive pricing (from EUR 1/month) and a good CDN, but weaker layer-7 protection. AWS Shield Standard is free for all AWS customers; AWS Shield Advanced costs USD 3000/month. Imperva is the enterprise choice with strong WAF (quote on request). Akamai serves large customers. For SMEs Cloudflare remains the obvious choice except under strict data localisation.