Location-Aware DDoS Protection
Location-Aware DDoS Protection can detect and mitigate traffic that deviates from your site’s geo-distribution profile, which Cloudflare builds from legitimate traffic and keeps updating over time.
The geo-distribution profile is exposed as a rule in the HTTP DDoS Attack Protection Managed Ruleset that you can configure.
How it works
Cloudflare maps the source IP address of every request targeting your website to a client country and continent. With this information, Cloudflare updates internal counters for the number of legitimate (non-attack) requests to your zone per client country and client region. These counters are then used to calculate the 95th percentile (P95) requests-per-second rate for every client country and region using the rates from the past seven days.
Using these sources of information, Cloudflare builds a geo-distribution profile for your website, which is updated every 24 hours. Incoming traffic that deviates from your profile may be malicious.
View flagged traffic
To view traffic flagged by the geo-profiling rule:
- Log in to the , and select your account and website.
- Navigate to Security > Overview.
- Filter by
Service equals HTTP DDoSand
Rule ID equals a8c6333711ff4b0a81371d1c444be2c3.
Configure the geo-profiling rule
You can adjust the action and sensitivity of the geo-profiling rule. The default action is Log. You can use this action to first observe what traffic is flagged before deciding on a mitigation action.
- Rule ID:
Location-Aware DDoS Protection (Available only to Enterprise zones with Advanced DDoS service).