Skip to content
Cloudflare Docs

Network-layer DDoS Attack Protection

The Cloudflare Network-layer DDoS Attack Protection managed ruleset is a set of pre-configured rules used to match known DDoS attack vectors at levels 3 and 4 of the OSI model.

Cloudflare updates the list of rules in the managed ruleset on a regular basis. Refer to the changelog for more information on recent and upcoming changes.

The Network-layer DDoS Attack Protection managed ruleset is always enabled — you can only customize its behavior.

Ruleset configuration

You may need to adjust the behavior of specific rules in case of false positives or due to specific traffic patterns.

Adjust the behavior of the rules in the managed ruleset by modifying the following parameters:

  • The performed action when an attack is detected
  • The sensitivity level of attack detection mechanisms

To adjust rule behavior, use one of the following methods:

You can only configure the behavior of the managed ruleset to set a stronger or weaker mitigation action (depending on the default action of a specific rule, you can change it to Block if the default action is DDoS Dynamic or Log.), or a lower default sensitivity for all rules. Refer to Managed ruleset parameters for more information.

Overrides can apply to all packets or to a subset of incoming packets, depending on the override expression. Refer to Override expressions for more information.

Network Analytics rule display

Cloudflare regularly deploys new detection rules to the Network-layer DDoS managed ruleset. To ensure high accuracy and minimize false positives, these rules undergo a testing phase before they are fully promoted.

When a rule is in its testing phase, you may notice specific behaviors in the Cloudflare dashboard.

New rules often default to Log (visible in DDoS Managed Rules > Browse Rules). This allows Cloudflare to evaluate the rule's performance against real-world traffic without impacting legitimate packets.

In the Network Analytics dashboard, traffic matched by these testing-phase rules is labeled as Log (rule disabled). This is a reporting convention indicating the rule is in a pre-production monitoring state.

While you can manually override a rule from Log to Block, consider the following before doing so:

  • Rules in the testing phase have not yet been fully tuned for broad deployment. Overriding them to a mitigation action (like Block) may increase the risk of dropping legitimate traffic.

  • The default action of a rule is decided during the testing period. Cloudflare may set its default action to DDoS Dynamic, which may use rate-limiting or a multi-step mitigation combination based on traffic factors. By applying a manual Block override, you prevent your configuration from automatically inheriting the more nuanced DDoS Dynamic action once it is released.

If you choose to override a testing rule to mitigate an active attack, Cloudflare recommends reviewing that override periodically to see if the rule has been promoted to a permanent default action.

Availability

The Network-layer DDoS Attack Protection managed ruleset is available in all Cloudflare plans for:

However, only Magic Transit and Spectrum customers on an Enterprise plan can customize the managed ruleset.

Magic Transit customers can configure the following additional products:

  • Enable Advanced TCP Protection to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods.
  • Create custom Magic Firewall rules to block additional network-layer attacks.

Spectrum customers can use IP Access rules to block additional network-layer attacks.