sFlow DDoS attack rule
Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. Magic Network Monitoring uses the same DDoS attack detection rules that protect Cloudflare's global network to generate these alerts.
Only customers that send sFlow data to Cloudflare can configure a sFlow DDoS attack rule.
You can only configure an sFlow DDoS attack rule via Cloudflare's API. The Cloudflare dashboard does not currently support configuring sFlow DDoS attack rules.
You can export sFlow data of your network traffic to Cloudflare via Magic Network Monitoring. There are specific brands and models of routers that are capable of generating sFlow data. Make sure to check the router specifications to ensure that it is able to export sFlow data. To configure sFlow exports to Magic Network Monitoring, refer to Configure sFlow.
| Field | Description |
|---|---|
| Rule name | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (_), dash (-), period (.), and tilde (~). Maximum of 256 characters. |
| Rule type | advanced_ddos |
| Prefix Match | The field prefix_match determines how IP matches are handled. Subnet (recommended): Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit. Exact: Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit. Supernet: Automatically advertise if the attacked IPs are a supernet of a public IP prefix that can be advertised by Magic Transit. |
| Auto-advertisement | If you are a Magic Transit On Demand customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more, refer to Auto-advertisement. |
| Rule IP prefix | The IP prefix associated with the rule for monitoring traffic volume. Must be a Classless Inter-Domain Routing (CIDR) range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, refer to Rule IP prefixes. |
Refer to the Rules API documentation to review an example API configuration call using CURL and the expected output for a successful response.
You can tune the thresholds of your sFlow DDoS alerts in the dashboard and via the Cloudflare API by following the Network-layer DDoS Attack Protection managed ruleset guide.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
