Adaptive DDoS Protection
Adaptive DDoS Protection learns your unique traffic patterns and adapts to them to provide better protection against sophisticated DDoS attacks on layer 7 and layers 3/4, depending on your subscribed Cloudflare services.
Adaptive DDoS Protection provides the following types of protection:
- Adaptive DDoS Protection for Origins: Detects and mitigates traffic that deviates from your site's origin errors profile.
- Adaptive DDoS Protection for User-Agents: Detects and mitigates traffic that deviates from the top User Agents seen by Cloudflare on the network. The User Agent profile is built from the entire Cloudflare network and not only from the customer's zone.
- Adaptive DDoS Protection for Locations: Detects and mitigates traffic that deviates from your site’s geo-distribution profile. The profile is calculated from the rate for every client country and region, using the rates from the past seven days.
- Adaptive DDoS Protection for Protocols: Detects and mitigates traffic that deviates from your traffic’s IP protocol profile. The profile is calculated as a global rate for each of your prefixes.
Cloudflare Adaptive DDoS Protection is available to Enterprise customers according to the following table:
| Feature | Profiling dimension | WAF/CDN1 | Magic Transit / Spectrum BYOIP2 |
|---|---|---|---|
| HTTP Adaptive DDoS Protection | |||
| For Origins | Origin errors | Yes | — |
| For User-Agents | User Agent (entire Cloudflare network) | Yes | — |
| For Locations | Client IP country and region | Yes | — |
| L3/4 Adaptive DDoS Protection | |||
| For Protocols | IP protocol | — | Yes |
| For Protocols | Client IP country and Region for UDP | — | Yes |
1 WAF/CDN customers on the Enterprise plan with the Advanced DDoS Protection subscription.
2 Magic Transit and Spectrum BYOIP customers on an Enterprise plan.
Adaptive DDoS Protection creates a traffic profile by looking at the maximum rates of traffic every day, for the past seven days. These profiles are recalculated every day, keeping the seven-day time window. Adaptive DDoS Protection stores the maximal traffic rates seen for every predefined dimension value (the profiling dimension varies for each rule). Every profile uses one dimension, such as the source country of the request, the user agent, and the IP protocol. Incoming traffic that deviates from your profile may be malicious.
To eliminate outliers, rate calculations only consider the 95th percentile rates (discarding the top 5% of the highest rates). Cloudflare requires a minimum amount of requests per second (rps) to build traffic profiles. HTTP Adaptive DDoS Protection rules also take into account Cloudflare’s Machine Learning (ML) models to identify traffic that is likely automated.
Cloudflare may change the logic of these protection rules from time to time to improve them. Any rule changes will appear in the Managed rulesets changelog page.
Cloudflare’s network is built to automatically monitor and mitigate large DDoS attacks. Cloudflare also helps mitigate smaller DDoS attacks, based on the following general rules:
- For zones on any plan, Cloudflare will apply mitigations when the HTTP error rate is above the High (default) sensitivity level of 1,000 errors-per-second rate threshold. You can decrease the sensitivity level by configuring the HTTP DDoS Attack Protection managed ruleset.
- For zones on Pro, Business, and Enterprise plans, Cloudflare performs an additional check for better detection accuracy: the errors-per-second rate must also be at least five times the normal origin traffic levels before applying DDoS mitigations.
Cloudflare determines the error rate based on all HTTP errors in the 52X range (Internal Server Error) and in the 53X range, except for error 530. Currently, for DDoS mitigations based on HTTP error rate, you cannot exclude specific HTTP error codes.
For more information on the types of DDoS attacks covered by Cloudflare's DDoS protection, refer to DDoS attack coverage.
To view traffic flagged by HTTP Adaptive DDoS Protection rules:
- Log in to the Cloudflare dashboard ↗, and select your account and website.
- Go to Security > Events.
- Filter by
Service equals HTTP DDoSand by rule ID.
To view traffic flagged by L3/4 Adaptive DDoS Protection rules:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to Account Home > Analytics & Logs > Network Analytics.
- Filter by rule ID.
You may also obtain information about flagged traffic through Logpush or the GraphQL API.
To determine if an adaptive rule fits your traffic in a way that will only mitigate attack traffic and will not cause false positives, review the traffic that is Logged by the adaptive rules.
If you do see traffic that was Logged by the adaptive rules, use the dashboard to determine if the traffic matches the characteristics of legitimate users or that of attack traffic. As each Internet property is unique, understanding if the traffic is legitimate requires your understanding of how your legitimate traffic looks. For example, the user agent, source country, headers, query string for HTTP requests, and protocols and ports for L3/4 traffic.
- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a Managed Challenge or
Blockaction. - In cases where you see legitimate traffic being flagged, you should lower the sensitivity level of the rule and observe the flagged traffic. You can continue reducing the sensitivity level until you reach a point where legitimate traffic is not flagged. Then, you should create an override to enable the rule with a mitigation action.
- If the rule is still flagging legitimate traffic you can consider using the expression filters to condition the rules to exclude certain types of traffic.
The default rule action for log with a sensitivity set to high will only show packets or requests with suspected attack traffic over internal high thresholds in your logs. For instance, if you set the threshold to medium or low, then only packets over those thresholds will be logged.
You can adjust the action and sensitivity of the Adaptive DDoS Protection rules. The default action is Log. Use this action to first observe what traffic is flagged before deciding on a mitigation action.
To configure a rule, refer to the instructions in the following pages:
- Configure HTTP DDoS Attack Protection in the dashboard (for L7 rules)
- Configure Network-layer DDoS Attack Protection in the dashboard (for L3/4 rules)
For more information on the available configuration parameters, refer to the following pages:
- For the (L7) DDoS protection rules for Origins, User-Agents, and Locations:
HTTP DDoS Attack Protection parameters - For the (L3/4) DDoS protection rules for Protocols:
Network-layer DDoS Attack Protection parameters
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark