Skip to content

Attack coverage

The DDoS Attack Protection managed rulesets provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these managed rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.

Advanced TCP Protection and Advanced DNS Protection, available to Magic Transit customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively.

As a general guideline, various Cloudflare products operate on different open systems interconnection (OSI) layers and you are protected up to the layer on which your service operates. You can customize the DDoS settings on the layer in which you onboarded. For example, since the CDN/WAF service is a Layer 7 (HTTP/HTTPS) service, Cloudflare provides protection from DDoS attacks on L7 downwards, including L3/4 attacks.

The following table includes a sample of covered attack vectors:

OSI LayerRuleset / FeatureExample of covered DDoS attack vectors
L3/4Network-layer DDoS Attack ProtectionUDP flood attack
SYN floods
SYN-ACK reflection attack
ACK floods
Mirai and Mirai-variant L3/4 attacks
ICMP flood attack
SNMP flood attack
QUIC flood attack
Out of state TCP attacks
Protocol violation attacks
SIP attacks
ESP flood
DNS amplification attack
DNS Garbage Flood
DNS NXDOMAIN flood
DNS Query flood
RST flood
NetBios DDoS attacks
mDNS DDoS attacks
VxWorks DDoS attacks
BitTorrent reflection attack
Memcached amplification attacks
CHARGEN reflection attacks
Ubiquity reflection attacks
Lantronix reflection attacks
SSDP reflection attacks
MSSQL reflection attacks
DTLS amplification attacks
Quote of the Day (QOTD) reflection attacks
TeamSpeak 3 floods
Jenkins amplification attacks
GRE floods
SPSS reflection attacks
Carpet Bombing attacks

For more DNS protection options, refer to Getting additional DNS protection.
L3/4Advanced TCP Protection 1Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks
L7 (DNS)Advanced DNS Protection 1Sophisticated and fully randomized DNS attacks, including Water Torture attacks, Random-prefix attacks, and DNS laundering attacks.
L7 (HTTP/S)HTTP DDoS Attack ProtectionHTTP flood attack
WordPress pingback attack
HULK attack
LOIC attack
Slowloris attack
Mirai and Mirai-variant HTTP attacks
HTTP/2 Rapid Reset
HTTP Continuation flood
Cache busting attacks
Known DDoS botnets
TLS/SSL negotiation attacks
TLS/SSL exhaustion attacks
Carpet Bombing attacks

Footnotes

  1. Available to Magic Transit customers. 2

Getting additional DNS protection

The Network-layer DDoS Attack Protection managed ruleset provides protection against some types of DNS attacks.

Magic Transit customers have access to Advanced DNS Protection Beta . Other customers might consider the following options:

  • Use Cloudflare as your authoritative DNS provider (primary DNS or secondary DNS).
  • If you are running your own nameservers, use DNS Firewall to get additional protection against DNS attacks like random prefix attacks.