Mitigation examples

Rate limit suspicious logins with leaked credentials

Create a rate limiting rule using account takeover (ATO) detection and leaked credentials fields to limit volumetric attacks from particular IP addresses, JA4 Fingerprints, or countries.

The following example rule applies rate limiting to requests with a specific ATO detection ID (corresponding to Observes all login traffic to the zone) that contain a previously leaked username and password:

When incoming requests match:
(any(cf.bot_management.detection_ids[*] eq 201326593 and cf.waf.credential_check.username_and_password_leaked))

With the same characteristics: IP

When rate exceeds:

Requests: 5
Period: 1 minute

Challenge requests containing leaked credentials

Create a custom rule that challenges requests containing a previously leaked set of credentials (username and password).

Expression: If you use the Expression Builder, configure the following expression:

Field Operator Value
User and Password Leaked equals True

If you use the Expression Editor, enter the following expression:
```
(cf.waf.credential_check.username_and_password_leaked)
```
Action: Managed Challenge

Field	Operator	Value
User and Password Leaked	equals	True

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings