Setup
In order to enable automatic mitigation of random prefix attacks:
-
Set up DNS Firewall.
-
Enable attack mitigation on your DNS Firewall cluster.
-
In the Cloudflare dashboard, go to the DNS Firewall Clusters page.
Go to Clusters -
Select the cluster you want to update, then select Edit.
-
Turn on Attack mitigation and choose whether Cloudflare should only mitigate attacks when the upstream is unhealthy.
-
Select Save.
Send a
PATCHrequest to update your DNS Firewall cluster:
At least one of the following token permissions is required:Required API token permissions
DNS Firewall Write
Update DNS Firewall Cluster curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_firewall/$DNS_FIREWALL_ID" \--request PATCH \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"attack_mitigation": {"enabled": true,"only_when_upstream_unhealthy": true}}' -
Once you turn on attack mitigation, Cloudflare returns a REFUSED response to queries that are part of a random prefix attack.