Distributed Denial of Service (DDoS) attacks are no longer the exclusive concern of large enterprises. Cheap DDoS-for-hire services have democratized the attack — meaning any motivated adversary can take down a small website for a few dollars per hour.
Understanding the Attack Types
Volumetric attacks flood your network with traffic — the goal is to saturate your bandwidth. Protocol attacks exploit weaknesses in network protocols (SYN floods, Ping of Death). Application layer attacks (Layer 7) send legitimate-looking requests that are expensive to process — these are the hardest to mitigate.
Layer 1: Cloudflare (Free Tier Is Enough to Start)
Put Cloudflare in front of your origin server. Cloudflare's network absorbs volumetric attacks before they reach you. Enable "I'm Under Attack" mode during an active attack — it adds a JavaScript challenge that filters bots. Keep your origin server IP secret; if attackers discover it they can bypass Cloudflare.
Layer 2: Rate Limiting
Implement rate limiting at both the edge (Cloudflare rate limiting rules) and in your application. Limit requests per IP, per user agent, and per route. Particularly important for login endpoints, API routes, and any computationally expensive operations.
Layer 3: Caching
A cached response is served without hitting your application server or database. Aggressive caching of static and semi-static content means your infrastructure handles a fraction of the load even during a traffic spike. Use Cloudflare's CDN caching, configure cache-control headers correctly, and pre-generate static pages where possible.
Layer 4: Auto-scaling
If you are on a cloud provider (Vercel, AWS, Railway), ensure auto-scaling is configured. Horizontal scaling allows your infrastructure to absorb traffic spikes rather than collapsing under them. Serverless architectures scale automatically and are naturally resilient to volumetric attacks.
Monitoring and Alerting
You cannot defend what you cannot see. Set up uptime monitoring with a service like Better Uptime or Uptime Robot. Configure alerts that fire when response times spike or error rates increase. The faster you detect an attack, the faster you can respond.
Incident Response Plan
Decide in advance what you will do during an attack: who to contact, which Cloudflare settings to enable, and when to escalate to your hosting provider. Having a written runbook means you are not making decisions under pressure.
Conclusion
You do not need a dedicated security team or enterprise budget to be resilient against most DDoS attacks. Cloudflare's free plan, sensible rate limiting, and proper caching handle the vast majority of attack scenarios. Layer these defenses, monitor your systems, and have a plan ready before you need it.