Skip to content
DDoS Protection
Visit DDoS Protection on GitHub
Set theme to dark (⇧+D)

DDoS attack coverage

The DDoS Attack Protection Managed Rulesets provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these Managed Rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.

As a general guideline, Cloudflare customers are protected up to the layer on which their service operates. For example, a WAF customer is protected against DDoS attacks on Layer 7 (HTTP/HTTPS) all the way down including L3/4 attacks.

The following table includes a sample of covered attack vectors:

OSI LayerRulesetExample of covered DDoS attack vectors
L3/4Network-layer DDoS Attack ProtectionUDP flood attack
SYN floods
SYN-ACK reflection attack
Fully randomized ACK floods
Mirai and Mirai-variant L3/4 attacks
ICMP flood attack
SNMP flood attack
QUIC flood attack
DNS amplification attack
Out of state TCP attacks
Protocol violation attacks
DNS amplification attack
SIP attacks
L7 (HTTP/HTTPS)HTTP DDoS Attack ProtectionHTTP flood attack
WordPress pingback attack
HULK attack
LOIC attack
Mirai and Mirai-variant HTTP attacks