DDoS attack coverage
The provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these managed rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.
As a general guideline, Cloudflare customers are protected up to the layer on which their service operates. For example, a WAF customer is protected against DDoS attacks on Layer 7 (HTTP/HTTPS) all the way down including L3/4 attacks.
The following table includes a sample of covered attack vectors:
|OSI Layer||Ruleset / Feature||Example of covered DDoS attack vectors|
|L3/4||UDP flood attack|
SYN-ACK reflection attack
Mirai and Mirai-variant L3/4 attacks
ICMP flood attack
SNMP flood attack
QUIC flood attack
Out of state TCP attacks
Protocol violation attacks
DNS amplification attack
DNS Garbage Flood
DNS NXDOMAIN flood
DNS Query flood
For more DNS protection options, refer to .
|L3/4||1||Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks|
|L7||Beta 1||Sophisticated and fully randomized DNS attacks, including random-prefix attacks and DNS laundering attacks|
|L7 (HTTP/HTTPS)||HTTP flood attack|
WordPress pingback attack
Mirai and Mirai-variant HTTP attacks
Getting additional DNS protection
The Network-layer DDoS Attack Protection managed ruleset provides protection against some types of DNS attacks.