Currently we are running NGINX as a reverse proxy with an MVC framework using TWIG, PHP, Elasticache, MySQL, NodeJS (socket.io) <- Instant Notification & Messaging
Our site has decent load speeds but we are constantly having to reload PHP because people keep DDoSing our site. We do not know how to mitigate this but we have created rate-limiting rules in CloudFlare for 60 requests per 10 seconds. The only luck we have had was to put the site on heavy attack mode but that causes the users to wait 5 seconds frequently when browsing the site. While we do not know who is committing the attacks we would like to prevent a majority of them because the site is being taken down almost every other day.
What can we do to prevent the site from serving users 502 pages after a DDoS attack?
What steps can we take to locate and block the source of the attacks as early as possible?
We don't have a large amount of money to spend paying a company to like imperva to handle this but we would like to continue developing our platform without our users constantly having to load a 502 or wait 5 seconds for a lot of the pages they load (from cloudflare).
I assume the account you have with CloudFlare is basic plan and does not provide Layer3/4/7 DDOS mitigation by default but still you can surely protect your site from common DDOS attacks by applying relevant WAF rules in CloudFlare when a DDOS is going on but for that you will have to observe the web server logs and CloudFlare panel to see the pattern of attack.
First step should be to decrease the rate limit you currently have which is 60 requests/10 seconds.
Secondly, I would suggest to seek the pattern of ongoing DDOS attacks which will help you to mitigate them by applying corresponding rules in CloudFlare (every DDOS has a different pattern which requires different mitigation steps).
As a general rule: Enable Javascript or Captcha challenge through CloudFlare on certain pages/endpoints of your website or when a certain rate limit exceeds. This is helpful because DDOS attacks are conducted by using bots and when you apply Javascript or Captcha challenge on your website then only actual human users can pass these challenges and bots get filtered out.
Also, I would suggest to set up the DDOS alerts through CloudFlare which will help you to take timely actions (as suggested above) to block those attack before your users get effected and hosting server(s) get chocked.