Verify DDoS protection
After onboarding your IP prefixes to Magic Transit, verify that your DDoS protection layers are active and correctly configured. Magic Transit includes multiple mitigation systems that work together. For a description of each layer and the execution order, refer to DDoS protection.
Before you start, make sure you have completed the following:
- Onboarded your IP prefixes to Magic Transit.
- Advertised your prefixes to Cloudflare.
The network-layer DDoS managed ruleset is always enabled on IP prefixes onboarded to Magic Transit. You cannot turn it off, but you can customize the sensitivity level and action for individual rules.
To review your current configuration:
-
In the Cloudflare dashboard, go to the L3/4 DDoS protection page.
Go to DDoS Managed Rules -
Select the Network-layer DDoS Protection tab.
If you have not deployed any overrides, the managed ruleset runs with default settings (High sensitivity, DDoS Dynamic action). This is the recommended configuration for most deployments.
Advanced TCP Protection and Advanced DNS Protection are automatically enabled in monitoring mode for new Magic Transit customers. In monitoring mode, the systems learn your traffic patterns and show what they would have mitigated without affecting live traffic.
To check the status of Advanced DDoS systems:
-
In the Cloudflare dashboard, go to the L3/4 DDoS protection page.
Go to DDoS Managed Rules -
Go to Advanced Protection > General settings.
-
Verify that the system is turned on and that your prefixes are listed.
To review individual protection rules:
- For Advanced TCP Protection, go to Advanced Protection > Advanced TCP Protection. Check that SYN Flood Protection and Out-of-state TCP Protection rules exist and are set to the expected mode.
- For Advanced DNS Protection, go to Advanced Protection > Advanced DNS Protection. Check that a DNS Protection rule exists.
After your Advanced DDoS systems have collected at least seven days of traffic data, Cloudflare calculates protection thresholds based on the 95th percentile of your traffic over that period. Thresholds are recalculated every 10 minutes.
To switch from monitoring to mitigation:
- Review your traffic in Network Analytics to confirm the systems are correctly identifying normal versus anomalous traffic.
- Go to the rule you want to update (SYN Flood, Out-of-state TCP, or DNS Protection).
- Change the rule mode from Monitoring to Mitigation (Enabled).
Configure DDoS alerts so you are notified when attacks are detected and mitigated:
-
In the Cloudflare dashboard, go to the Notifications page.
Go to Notifications -
Select Add.
-
Select Layer 3/4 DDoS Attack Alert. Enterprise accounts can select Advanced Layer 3/4 DDoS Attack Alert for additional filtering support.
-
Configure your delivery method (email, webhook, or PagerDuty).
Magic Transit and Spectrum BYOIP customers automatically receive a weekly DDoS summary report by email every Tuesday. The report covers the previous Monday-to-Sunday period and includes total attacks, the largest attack by packets per second and bits per second, and total bytes mitigated.
Network Analytics is the primary dashboard for monitoring DDoS activity on your Magic Transit prefixes. It shows traffic entering and leaving the Cloudflare network, including traffic blocked by DDoS rules and Network Firewall rules.
To review DDoS activity:
-
In the Cloudflare dashboard, go to the Network analytics page.
Go to Network analytics -
Filter by mitigations applied to isolate traffic blocked by DDoS managed rulesets or Network Firewall rules.
You can also query DDoS analytics programmatically using the GraphQL Analytics API.
You can simulate DDoS attacks against your own Magic Transit-protected IP prefixes to verify that detection and mitigation work as expected. You do not need permission from Cloudflare to test against your own properties.
For guidance on testing, refer to Simulate test DDoS attacks.