Cloudflare Docs

DDoS Protection

Cloudflare Docs

DDoS Protection

Overview
Get started
About
How DDoS protection works
Main components
Attack coverage
Managed rulesets
HTTP DDoS Attack Protection
Configure in the dashboard
Configure via API
Configure using Terraform
Rule categories
Parameters
Override expressions
Network-layer DDoS Attack Protection
Configure in the dashboard
Configure via API
Configure using Terraform
Rule categories
Parameters
Override expressions
Adaptive DDoS Protection
Adjusting DDoS rules
Handle a false positive
Handle a false negative or an incomplete mitigation
Advanced TCP Protection
Setup
Concepts
How to
Add a prefix
Add an IP or prefix to the allowlist
Create a rule
Create a filter
Exclude a prefix
API configuration
Common API calls
JSON objects
Rule settings
Mitigation reasons
Advanced DNS Protection (beta)
Best practices
Third-party services and DDoS protection
Prevent DDoS attacks
Respond to DDoS attacks
Reference
Analytics
Reports
Alerts
Logs
Simulating test DDoS attacks
Changelog
Network-layer DDoS managed ruleset
Scheduled changes
2024-03-12
2023-07-31
2023-04-17
2022-12-02
2022-10-24
2022-10-06
2022-09-21
2022-09-16
2022-04-12
HTTP DDoS managed ruleset
Scheduled changes
2024-04-19
2024-04-16 - Emergency
2024-04-04 - Emergency
2024-04-02
2024-02-27
2024-02-26 - Emergency
2024-02-19
2024-02-12
2024-02-08 - Emergency
2024-02-06 - Emergency
2024-02-05 - Emergency
2024-01-26 - Emergency
2024-01-25
2024-01-23
2024-01-05
2023-12-19 - Emergency
2023-12-14 - Emergency
2023-12-08 - Emergency
2023-11-29
2023-11-22
2023-11-13 - Emergency
2023-11-10 - Emergency
2023-10-19
2023-10-11
2023-10-09 - Emergency
2023-09-24 - Emergency
2023-09-21 - Emergency
2023-09-05 - Emergency
2023-08-30 - Emergency
2023-08-29 - Emergency
2023-08-25 - Emergency
2023-08-16 - Emergency
2023-08-14
2023-08-11 - Emergency
2023-07-31
2023-07-17
2023-07-12 - Emergency
2023-07-07
2023-07-06
2023-06-28
2023-06-19
2023-06-16
2023-06-14 - Emergency
2023-06-06
2023-06-05 - Emergency
2023-05-26
2023-05-22
2023-05-16 - Emergency
2023-05-15 - Emergency
2023-05-02 - Emergency
2023-04-27 - Emergency
2023-04-21 - Emergency
2023-04-17
2023-04-03
2023-03-22
2023-03-10
2023-02-28 - Emergency
2023-02-20
2023-01-30
2022-12-07 - Emergency
2022-11-02 - Emergency
2022-10-14
2022-10-06 - Emergency
2022-09-19 - Emergency
2022-09-14
2022-09-13
2022-08-16
2022-08-10
2022-08-02
2022-07-18
2022-07-08
2022-07-06
2022-06-08
2022-06-01
2022-05-12
2022-05-03
2022-04-21
2022-04-12
2022-04-07

Mitigation reasons

The Advanced TCP Protection system applies mitigation actions for different reasons based on the connection states. The Mitigation reason field shown in the Advanced TCP Protection tab of the Network Analytics dashboard will contain more information on why a given packet was dropped by the system.

The connection states are the following:

New: A SYN or SYN-ACK packet has been sent to attempt to open a new connection.
Open: The three-way TCP handshake has been completed and the TCP connection is open.
Closing: A FIN or FIN-ACK packet has been seen attempting to close a connection.
Closed: The closing three-way handshake has been completed, or an RST packet has closed the connection.

The mitigation reasons are the following:

UNEXPECTED: Packet dropped because it was not expected given the current state of the TCP connection it was associated with.
CHALLENGE_NEEDED: Packet challenged because the system determined that the packet is most likely part of a packet flood.
CHALLENGE_PASSED: Packet dropped because it belongs to a solved challenge.
NOT_FOUND: Packet dropped because it is not part of an existing TCP connection and it is not establishing a new connection.
OUT_OF_SEQUENCE: Packet dropped because its properties (for example, TCP flags or sequence numbers) do not match the expected values for the existing connection.
ALREADY_CLOSED: Packet dropped because it belongs to a connection that is already closed.

Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing.