A global nonprofit’s public site came under a sustained flood of automated traffic. The mandate: keep the site up for the people who needed it, without buying a bigger origin or an emergency vendor contract.
The traffic didn’t look like a textbook volumetric attack at first — it looked like success. Request counts climbed, origin CPU followed, and pages got slower for everyone. Under the hood, a rotating pool of clients was hammering the most expensive endpoints: search, dynamic pages, anything that bypassed the cache and made the origin work.
That’s the part that makes application-layer floods dangerous for lean organizations. The origin was sized for people, not for bots with infinite patience — and every request it burned on junk was capacity taken from a family or donor trying to reach the site.
Everything was done at the Cloudflare edge, in front of the origin — no new servers, no code changes to the application itself.
The stack held. More than forty million malicious requests were absorbed at the edge over the course of the attack — rejected, challenged, or queued — while the origin kept serving real visitors at normal speed. No emergency capacity was purchased. No maintenance page went up. Most people never knew anything happened, which is exactly the point.
The configuration stayed in place afterward as a permanent posture: the rate limits and challenge rules now absorb the background radiation of the internet — scrapers, credential stuffers, vulnerability scanners — every day, quietly.
If your site is getting slower and your traffic graphs are getting weirder, the diagnosis is usually a day’s work and the fix rarely requires new infrastructure. Email me — or run your own domain through the live health check first.