DDoS L7 Attack Mitigation (Beta)
Cloudflare provides protection against DDoS L7 attacks through several mitigation systems and rules. The HTTP DDoS Managed Ruleset contains a subset of these rules. This Managed Ruleset is enabled by default for all customers, regardless of their Cloudflare plan, and provides protection against a broad range of DDoS attack vectors.
The Cloudflare HTTP DDoS Managed Ruleset
The Cloudflare HTTP DDoS Managed Ruleset is a set of pre-configured rules used to match known DDoS attack vectors at the application layer on the edge, like the following:
- Requests causing large amounts of origin errors
- Excessive traffic hitting origin
- Excessive traffic hitting cache
- Abuse of search features and authentication endpoints
- Other attack vectors
Cloudflare updates the list of rules in the Managed Ruleset on a regular basis.
The Cloudflare HTTP DDoS Managed Ruleset provides users with increased observability into layer 7 DDoS attacks mitigated by Cloudflare, informing users of ongoing or past attacks. The Firewall dashboard, available at Firewall > Overview, will display additional information on the types of layer 7 DDoS attacks detected for a specific zone.
You can adjust the behavior of the rules in the Managed Ruleset using overrides. Use overrides to modify:
- The performed action when an attack is detected
- The sensitivity of attack detection mechanisms
Note: Certain actions or sensitivity levels may not be available to all Cloudflare plans.
The Cloudflare HTTP DDoS feature is available in Beta to all Enterprise customers. If you would like Beta access, contact your Customer Success Manager or Account Team.