Dynamic threshold rule
A dynamic threshold rule (beta) will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent.
Dynamic thresholds are calculated using a statistical measure called Z-score ↗ (also referred to as standard score). Review How the dynamic rule threshold is calculated to learn more.
Customers that send NetFlow and/or sFlow data to Cloudflare can configure dynamic threshold rules.
A dynamic threshold rule can only be configured via Cloudflare's Magic Network Monitoring Rules API. Today, customers are unable to configure dynamic threshold rules in the Cloudflare dashboard.
| Field | Description |
|---|---|
| Rule name | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (_), dash (-), period (.), and tilde (~). Maximum of 256 characters. |
| Rule type | zscore |
| Target | Can be defined in either bits per second or packets per second. |
| Sensitivity | Z-Score sensitivity has three values: low, medium, and high. |
| Auto-advertisement | If you are a Magic Transit On Demand customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the Auto-Advertisement section. |
| Rule IP prefix | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and review an example, refer to the Rule IP prefixes. |
to review an example API configuration call using CURL and the expected output for a successful response, go to Magic Network Monitoring in developers.cloudflare.com/api/ and expand the Rules section.
Dynamic thresholds for this rule type are calculated using a statistical measure called Z-Score. The dynamic threshold for this rule will automatically adjust based on your traffic history as this rule uses statistical analysis to detect traffic anomalies. Z-Score is calculated by comparing short-term traffic patterns (five-minute time window) against long-term baselines (four-hour time window) .
Z-Score is calculated by using the following formula:
Z = (X - μ) / σX= Current traffic value.μ= Mean traffic value over the long window.σ= Standard deviation over the long window.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark