DDoS Reccomendations and Cloudflare FAQ's
In recent years, the risks of DDoS website attacks have increased as well as costs associated with mitigation and protection. Foxbright has strived to keep hosting costs low for our partners and have worked to find affordable and robust solutions for DDoS protection in our hosting environment, without needing to increase costs. As Foxbright migrates websites to our new Azure hosting environment, we are reviewing our DDoS protection offerings and making recommendations for our partners for the most effective protection available.
What are DDoS Attacks?
A Distributed Denial of Service (DDoS) attack is a method of crashing or slowing down a website, server, or network by flooding it with traffic or false requests.
Foxbright's DDoS Protection Recommendations and Requirements
To avoid increasing hosting costs, Foxbright Development has extensively researched the best and most cost-effective DDoS mitigation methods.
1. Use Cloudflare Name Servers
Our preferred recommendation involves migrating website domain name servers (DNS) to Cloudflare (see information below). Cloudflare provides robust protection through proxy servers which masks the server IP from the public and is able to quickly add or change IP addresses when a site is under attack. This also provides protection to the entire hosting environment by preventing malicious traffic from reaching the host server. Cloudflare also provides a website cache to ensure website content is reachable even while under attack. Cloudflare is the only DNS provider we are aware of which provides the highest level of protection at no additional cost.
- Cloudflare offers several service plans for DNS. The free option provides excellent DDoS protection on it's own. Paid versions can provide additional firewall and monitoring but is not required.
- Organizations may migrate their DNS to Cloudflare prior to website server migrations or perform the migration after the server migration. We recommend performing the migration at least several days before or after other DNS updates are completed.
- Migrating to Cloudflare DNS does not require changing domain registrars. Domains will remain under full organization control and ownership at their existing registrar.
- Many Foxbright clients already use Cloudflare because of their advanced protection and strong reputation in the industry.
2. Web Application Firewall (WAF) through Azure Hosting Environment
Foxbright is able to provide WAF protection at the server level for moderate protection. The WAF will provide adequate protection for most applications and styles of DDoS attacks however it is not as robust of protection as offered by Cloudflare, nor is it free. Preferably, clients are able to utilize the free Cloudflare options to avoid additional costs however we understand this might be possible for all organizations.
- The WAF protection costs $200 annually
- Clients not utilizing Cloudflare at time of migration will be added to the WAF at no additional charge. The $200 annual fee will be added to invoices for the 2025-26 school year, which for most organizations will be sent in the summer of 2025.
- If Cloudflare or other DDoS protection is utilized prior to the 2025 invoice, WAF will be removed at no additional charge.
3. Client-provided DDoS Protection
Some organizations purchase 3rd party DDoS protection through their current DNS or obtain through other methods. If your website has alternate means of DDoS protection please send Foxbright documentation regarding the protection, and if satisfactory, Foxbright will remove the WAF and waive any additional costs.
Unable to use Cloudflare?
We ask clients to sign this waiver that you are declining Cloudflare DDoS protection or have alternative DDoS protections in place. Please provide Foxbright with information or documentation regarding your current DDoS protection for review. Foxbright will send additional reminders in early 2025 regarding DDoS protection as-needed .
What is Cloudflare and how does this affect my website?
Cloudflare provides cloud-based DDoS and Web Application Firewall (WAF) for your website. Some of our clients are already using Cloudflare for their site protection.
What will it cost?
Cloudflare offers a free option for your domain that includes DDoS protection and easy to use DNS. The Pro version includes a Web Application Firewall and costs $25/month.
How is Cloudflare best utilized?
Foxbright believes that Cloudflare provides the best security when Cloudflare Name Servers are used for your domain. We realize this may be something that not all of our client’s can do. If you fall into this category, see below for additional options.
How is Cloudflare different from my current DNS?
On the surface Cloudflare works like any other DNS provider. You can add records just like you do today. However, Cloudflare has a proxy service and when enabled, it does not tell the public anything about your website source IP address. Instead, when you (or some hackers) ask for your website IP address, Cloudflare returns one of their own IP addresses. Cloudflare can switch the DNS address very quickly when needed, often in response to hackers.
How do I grant Foxbright with access to my Cloudflare account?
What if I don’t want to use Cloudflare?
In this case, you will be responsible for providing DDoS protection for your website.
- You may sign a waiver that you are declining DDoS protection and you understand that you are risking that your website may fall prey to a DDoS attack and Foxbright will not be able to assist in restoring the website until the DDoS attack subsides.
- Foxbright will isolate unprotected sites to their own server and add a server-level WAF to each isolated site at the cost of $200 annually. While WAF alone is not as robust as using Cloudflare Name Servers, the WAF provides protection against common attacks. Foxbright can remove the WAF (and associated fees) if Cloudflare or other protection is added at a later date.
- If you have DDoS protection for your website via a service from you DNS provider, please provide Foxbright with specific information on your service protection and how it is being provided. If the protection is deemed adequate, additional WAF protection may not be needed.
Need technical and/or configuration assistance?
What if I don't have a technology department to assist with configuration?
Foxbright can create a Cloudflare account on your behalf and manage the configuration. You will need to share access to your domain and the domain needs to be with GoDaddy or Network Solutions. If you would like Foxbright manage this please share domain access using the appropriate instructions below and email [email protected] letting us know that you are doing so as DNS invitations are time sensitive.
Please Note: Foxbright will not migrate or change domain registrars. The domain will remain under organization ownership and control, only the name servers will be migrated. Once Migration occurs, Foxbright's access to your DNS may be revoked if desired.