Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)

DDoS Protection

  1 min read

Cloudflare automatically detects and mitigates DDoS attacks using its Autonomous Edge, which is always-on. Advanced protections are reserved for Magic Transit customers.

OSI LayerRuleset / FeatureExample of covered DDoS attack vectors
L3/4Network-layer DDoS Attack ProtectionUDP flood attack
SYN floods
SYN-ACK reflection attack
ACK floods
Mirai and Mirai-variant L3/4 attacks
ICMP flood attack
SNMP flood attack
QUIC flood attack
Out of state TCP attacks
Protocol violation attacks
SIP attacks
ESP flood
DNS amplification attack
DNS Garbage Flood
DNS NXDOMAIN flood
DNS Query flood

For more DNS protection options, refer to Getting additional DNS protection.
L3/4Advanced TCP Protection 1Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks
L7Advanced DNS Protection Beta 1Sophisticated and fully randomized DNS attacks, including random-prefix attacks and DNS laundering attacks
L7 (HTTP/HTTPS)HTTP DDoS Attack ProtectionHTTP flood attack
WordPress pingback attack
HULK attack
LOIC attack
Slowloris attack
Mirai and Mirai-variant HTTP attacks

  1. Available to Magic Transit customers. ↩︎ ↩︎

Refer to the learning path Prevent DDoS Attaacks to dive deeper into this subject.