You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
4.[Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/)
27
27
28
-
The DDoS Managed Ruleset includes many individual rules. Each rule provides the heuristics that instructs the system how to identify DDoS attack traffic. When the DDoS Managed Ruleset identifies an attack, it will generate a real-time fingerprint to match against the attack traffic, and install an ephemeral mitigation rule to mitigate the attack using that fingerprint.
28
+
The DDoS managed ruleset includes many individual rules. Each rule provides the heuristics that instructs the system how to identify DDoS attack traffic. When the DDoS managed ruleset identifies an attack, it will generate a real-time fingerprint to match against the attack traffic, and install an ephemeral mitigation rule to mitigate the attack using that fingerprint.
29
29
30
30
The start time of the attack is when the mitigation rule is installed. The attack ends when there is no more traffic matching the rule. This is a single DDoS attack event.
31
31
32
-
A DDoS attack therefore has a start time, end time, and additional attack metadata such as:
32
+
A DDoS attack has a start time, end time, and additional attack metadata such as:
33
33
34
-
1. Attack ID
35
-
2. Attack vector
36
-
3. Mitigating rule
37
-
4. Total bytes and packets
38
-
5. Attack target
39
-
6. Mitigation action
34
+
- Attack ID
35
+
- Attack vector
36
+
- Mitigating rule
37
+
- Total bytes and packets
38
+
- Attack target
39
+
- Mitigation action
40
40
41
41
This information is used to populate the [Executive Summary](/analytics/network-analytics/understand/main-dashboard/#executive-summary) section in the [Network Analytics](/analytics/network-analytics/) dashboard.
42
42
43
43
It can also be retrieved via GraphQL API using the `dosdAttackAnalyticsGroups` node.
44
44
45
-
Currently, the concept of a DDoS attack event only exists for the Network-layer DDoS Managed Ruleset. There is no such grouping of individual packets, queries, or HTTP requests for the other systems, although we plan to implement it.
45
+
Currently, the concept of a DDoS attack event only exists for the [Network-layer DDoS managed ruleset](/ddos-protection/managed-rulesets/network/). There is no such grouping of individual packets, queries, or HTTP requests for the other systems yet.
46
46
47
47
---
48
48
@@ -86,7 +86,7 @@ Yes. Using our anycast network, along with Traffic Manager, Unimog, and Plurimog
86
86
87
87
## Where can I see latest DDoS trends?
88
88
89
-
Cloudflare publishes quarterly DDoS reports and coverage of signficant DDoS attacks. The publications are available on our [blog website](https://blog.cloudflare.com/tag/ddos-reports/) and as interactive reports on the [Cloudflare Radar Reports website](https://radar.cloudflare.com/reports?q=DDoS).
89
+
Cloudflare publishes quarterly DDoS reports and coverage of significant DDoS attacks. The publications are available on our [blog website](https://blog.cloudflare.com/tag/ddos-reports/) and as interactive reports on the [Cloudflare Radar Reports website](https://radar.cloudflare.com/reports?q=DDoS).
90
90
91
91
Learn more about the [methodologies](/radar/reference/quarterly-ddos-reports/) behind these reports.
92
92
@@ -110,17 +110,60 @@ These tools and attacks exploit different aspects of network protocols and behav
110
110
111
111
---
112
112
113
-
## Can I exclude a specific user agent from the HTTP DDoS protection?
113
+
## Can I exclude specific user agents from HTTP DDoS protection?
114
114
115
115
Yes, you can create an [override](/ddos-protection/managed-rulesets/http/override-expressions/) and use the expression fields to match against HTTP requests with the user agent. There are a variety of [fields](/ddos-protection/managed-rulesets/http/override-expressions/#available-expression-fields) that you can use.
116
116
117
117
You can then adjust the [sensitivity level](/ddos-protection/managed-rulesets/http/override-parameters/#sensitivity-level) or [mitigation action](/ddos-protection/managed-rulesets/http/override-parameters/#action).
118
118
119
119
Refer to the guide on how to [create an override](/ddos-protection/managed-rulesets/http/configure-dashboard/#create-a-ddos-override).
120
120
121
-
The use of expression fields is subject to [availability](#availability).
121
+
The use of expression fields is subject to [availability](/ddos-protection/#availability).
122
+
123
+
---
122
124
123
125
## Does Cloudflare charge for DDoS attack traffic?
124
126
125
127
No. Since 2017, Cloudflare offers [free, unmetered, and unlimited DDoS protection](https://blog.cloudflare.com/unmetered-mitigation/). There is no limit to the number of DDoS attacks, their duration, or their size. Cloudflare's billing systems automatically exclude DDoS attack traffic from your usage.
126
128
129
+
---
130
+
131
+
## How does DDoS Protection determine whether a SYN flood attack is mitigated by `dosd` or Advanced TCP Protection?
132
+
133
+
Cloudflare mitigates SYN flood packets statelessly in `dosd` or using [DDoS managed rules](/ddos-protection/managed-rulesets/) when it detects a pattern that indicates that the packet is fake.
134
+
135
+
When SYN flood packets are highly randomized or indistinguishable from legitimate packets, Cloudflare uses [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) to protect your site.
136
+
137
+
---
138
+
139
+
## How does Cloudflare handle hyper-localized DDoS attacks that may aim to overwhelm a specific Point of Presence (PoP)?
140
+
141
+
Cloudflare uses a combination of intelligent traffic engineering, global anycast, and real-time, autonomous DDoS mitigation to handle hyper-localized DDoS attacks — even those that may temporarily exceed the capacity of a specific Point of Presence (PoP).
142
+
143
+
### Global Anycast Network
144
+
145
+
Anycast allows multiple servers (PoPs) to share the same IP address, and the Border Gateway Protocol (BGP) routing system ensures user traffic is routed to the nearest or lowest-cost node.
146
+
147
+
#### Process
148
+
149
+
When one PoP is overwhelmed due to a local DDoS flood or as a result of limited capacity, BGP route propagation can be adjusted to shift traffic away from that PoP. Cloudflare can also withdraw BGP announcements from specific peers or upstreams to force traffic to reroute through better-equipped PoPs. Because DDoS traffic originates from multiple geographic regions, Anycast and traffic engineering distributes the attack across Cloudflare’s larger 348 Tbps Anycast network to reduce the burden on a single PoP.
150
+
151
+
### Intelligent Traffic Engineering
152
+
153
+
Cloudflare uses real-time data and intelligence systems to make decisions about traffic routing, load balancing, and congestion management.
154
+
155
+
#### Process
156
+
157
+
If a specific PoP becomes saturated or experiences attack traffic, Cloudflare's internal traffic engineering systems dynamically steer traffic across alternative paths using traffic shaping, path-aware routing, and dynamic DNS responses.
158
+
159
+
The system monitors CPU load, network congestion, and traffic type to make smart decisions about whether to reroute or throttle connections.
160
+
161
+
For Layer 7 (application-level) attacks, Cloudflare can challenge or rate-limit traffic before it reaches application servers. This scenario is similar to some extent to when we take down certain PoPs for maintenance. This can be done automatically via Traffic Manager, and if needed, by our Site Reliability Engineers (SRE).
162
+
163
+
### Real-Time DDoS Mitigation
164
+
165
+
DDoS managed rules and Advanced DDoS Protection are autonomous and run on every single server independently, while also coordinating locally and globally, contributing to the resilience of each server and PoP. These systems run close to the network edge in every PoP, meaning detection and mitigation happen rapidly, often before any noticeable impact. If traffic exceeds the capacity of one PoP, mitigation rules are replicated to other PoPs to help absorb overflow.
166
+
167
+
-**DDoS managed rules**: Detects and mitigates DDoS attacks in real-time. When it detects an attack, it deploys rules within seconds to mitigate the malicious traffic.
168
+
-**Advanced TCP Protection**: Identifies and drops abnormal TCP/IP behavior before it hits application servers.
169
+
-**Advanced DNS Protection**: Identifies and drops abnormal DNS queries behavior before it hits DNS servers.
0 commit comments