Attack coverage
The DDoS Attack Protection managed rulesets provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these managed rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.
Advanced TCP Protection and Advanced DNS Protection, available to Magic Transit customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively.
As a general guideline, various Cloudflare products operate on different open systems interconnection (OSI) layers and you are protected up to the layer on which your service operates. You can customize the DDoS settings on the layer in which you onboarded. For example, since the CDN/WAF service is a Layer 7 (HTTP/HTTPS) service, Cloudflare provides protection from DDoS attacks on L7 downwards, including L3/4 attacks.
The following table includes a sample of covered attack vectors:
| OSI Layer | Ruleset / Feature | Example of covered DDoS attack vectors |
|---|---|---|
| L3/4 | Network-layer DDoS Attack Protection | UDP flood attack SYN floods SYN-ACK reflection attack ACK floods Mirai and Mirai-variant L3/4 attacks ICMP flood attack SNMP flood attack QUIC flood attack Out of state TCP attacks Protocol violation attacks SIP attacks ESP flood DNS amplification attack DNS Garbage Flood DNS NXDOMAIN flood DNS Query flood RST flood NetBios DDoS attacks mDNS DDoS attacks VxWorks DDoS attacks BitTorrent reflection attack Memcached amplification attacks CHARGEN reflection attacks Ubiquity reflection attacks Lantronix reflection attacks SSDP reflection attacks MSSQL reflection attacks DTLS amplification attacks Quote of the Day (QOTD) reflection attacks TeamSpeak 3 floods Jenkins amplification attacks GRE floods SPSS reflection attacks Carpet Bombing attacks For more DNS protection options, refer to Getting additional DNS protection. |
| L3/4 | Advanced TCP Protection 1 | Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks |
| L7 (DNS) | Advanced DNS Protection 1 | Sophisticated and fully randomized DNS attacks, including Water Torture attacks, Random-prefix attacks, and DNS laundering attacks. |
| L7 (HTTP/S) | HTTP DDoS Attack Protection | HTTP flood attack WordPress pingback attack HULK attack LOIC attack Slowloris attack Mirai and Mirai-variant HTTP attacks HTTP/2 Rapid Reset HTTP Continuation flood Cache busting attacks Known DDoS botnets TLS/SSL negotiation attacks TLS/SSL exhaustion attacks Carpet Bombing attacks |
The Network-layer DDoS Attack Protection managed ruleset provides protection against some types of DNS attacks.
Magic Transit customers have access to Advanced DNS Protection Beta . Other customers might consider the following options:
- Use Cloudflare as your authoritative DNS provider (primary DNS or secondary DNS).
- If you are running your own nameservers, use DNS Firewall to get additional protection against DNS attacks like random prefix attacks.