Overview
The Advanced DDoS Protection system includes Advanced TCP Protection and Advanced DNS Protection. Both systems are configured using the general settings, but also comprise of their own dedicated settings.
Advanced DDoS Protection systems is available to Magic Transit customers.
Protection for simpler TCP or DNS-based DDoS attacks is included as part of the Network-layer DDoS Attack Protection managed ruleset.
General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement.
Thresholds are based on your network's unique traffic and are configured by Cloudflare. The sensitivity levels manipulate the thresholds.
When you get access to Advanced DDoS Protection systems, there are no configured thresholds in your account.
Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the High, Medium, and Low sensitivities will be for your specific case.
Ask your Implementation Manager to configure initial threshold values. Separate thresholds need to be configured for Advanced TCP Protection and Advanced DNS Protection.
Once thresholds are configured, the Implementation Manager will let you know that Advanced DDoS Protection systems have been initialized and can be configured and enabled.
The prefixes that you have onboarded to and approved by Cloudflare instruct the system on which traffic to route through the system.
Add the prefixes you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously onboarded to Magic Transit or a subset of these prefixes.
You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals.
Create a rule for Advanced TCP and Advanced DNS Protection (as needed) to enable mitigation.
You can create a rule for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets.
Optionally, you can create filters for each protection system component (SYN flood protection and out-of-state TCP protection).
A filter modifies Advanced TCP Protection's execution mode — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression.
Optionally, you can add prefixes to the allowlist if your traffic should bypass Advanced DDoS Protection rules.
The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. You can also exclude a subset of an onboarded prefix from Advanced TCP Protection.
Refer to Concepts for more information.
Enable the Advanced DDoS system and begin routing traffic through it.
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to L3/4 DDoS > Advanced Protection > General settings.
- Under General settings, toggle the feature status On.