When you deploy your Laravel API to production, it becomes exposed to the wild — and with that comes the risk of Distributed Denial of Service (DDoS) attacks. These attacks can overwhelm your application with traffic, slow down your API, or even take your entire server offline.
As Laravel developers, understanding how to prevent and mitigate these attacks is critical. In this guide, we’ll explore how to use Laravel’s built-in features, server configurations, and external tools to protect your API from overloads.
Understanding DDoS Attacks
A DDoS (Distributed Denial of Service) attack happens when multiple systems flood a server or API with fake requests, exhausting its resources.
In simpler terms — it’s like having thousands of people knocking on your door at once so real visitors can’t get in.
There are two main types of DDoS attacks developers should know:
- Network-Level Attacks (Layer 3 & 4): Flooding your server with packets to choke bandwidth.
- Application-Level Attacks (Layer 7): Targeting your web app or API directly with valid-looking HTTP requests.
Our focus will be on Layer 7, which is where Laravel operates.
Laravel-Level Protection
Let’s start with what Laravel gives us right out of the box.
1. Rate Limiting Middleware
Laravel includes a built-in throttle middleware that prevents users from making too many requests in a given time.
Route::middleware(['throttle:60,1'])->group(function () {
Route::get('/api/data', [ApiController::class, 'index']);
});
In this example:
60 = Number of allowed requests1 = Time period in minutes
If a client exceeds this, Laravel automatically responds with HTTP 429 Too Many Requests.
You can also create custom rate limits for different routes using the RateLimiter facade:
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;
RateLimiter::for('api', function ($request) {
return Limit::perMinute(30)->by($request->ip());
});
This allows per-IP or per-user limits — offering more flexibility.
Start with generous limits and tighten them as you observe real traffic. Too strict limits can frustrate legitimate users.
2. Use Caching and Queues
Caching reduces load on your application by avoiding repetitive queries.
Example:
$posts = Cache::remember('posts', 3600, function () {
return Post::all();
});
Also, using queues (via Laravel Horizon or Redis) prevents slow API responses by offloading heavy tasks to background workers.
3. Log and Detect Suspicious Patterns
You can create middleware to track IPs sending too many requests or unusual payloads.
public function handle($request, Closure $next)
{
$ip = $request->ip();
Log::info("Request from IP: $ip");
return $next($request);
}
Combine this with monitoring tools like Laravel Telescope to visualize unusual behavior.
Server-Level Protection
Even the best Laravel code can’t defend against everything.
Let’s strengthen things on the server side.
1. Use a Firewall
Set up a firewall (like UFW or iptables) to allow only specific ports and IP ranges.
sudo ufw allow 22/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable
This ensures only HTTP(S) and SSH traffic gets through.
2. Install Fail2Ban
Fail2Ban automatically bans IPs that show malicious behavior or too many failed requests.
sudo apt install fail2ban
Configure it to watch Nginx or Apache logs for repeated hits.
3. Add Nginx Rate Limiting
At the reverse proxy layer, you can limit the number of requests per IP before they even reach Laravel.
Example Nginx config:
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
server {
location / {
limit_req zone=api_limit burst=20 nodelay;
}
}
This allows 10 requests per second with a small burst tolerance.
☁️ Infrastructure-Level Protection
To handle larger-scale attacks, combine Laravel and server-side protections with infrastructure solutions:
- Cloudflare / AWS Shield: Blocks suspicious traffic before it reaches your server.
- Load Balancer: Distributes requests across multiple instances.
- SSL (HTTPS): Encrypts traffic, making data tampering harder.
- Automatic Scaling: In cloud environments, automatically spin up more instances during high load.
Monitoring and Alerts
Detection is half the battle.
Use monitoring tools like:
- Grafana + Prometheus for real-time server metrics.
- Laravel Telescope for application-level tracking.
- Custom Alerts: Send a Telegram or Slack message when request rates spike.
Example:
*/5 * * * * /usr/bin/php /var/www/html/artisan schedule:run >> /dev/null 2>&1
Set up a cron job to monitor request logs and notify you of anomalies.
✅ Conclusion
No single defense is bulletproof, but layered protection is your best bet.
Laravel’s rate limiting helps filter abuse, while server and infrastructure layers handle more serious floods.
By combining these strategies — middleware, firewalls, monitoring, and CDNs — your Laravel API will be resilient, stable, and ready for real-world traffic surges.
Don’t wait for an attack to happen. Simulate high traffic, monitor performance, and tune your defenses early.