feedback updates

Author: patriciasantaana

src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx

@@ -36,6 +36,67 @@ A rule configures Advanced DDoS Protection for a given [scope](/ddos-protection/
 
 Each system component (SYN flood protection and out-of-state TCP protection) has its own list of rules, and it should have at least one rule.
 
+### Rule settings
+Each rule type has the following settings: scope, mode, burst sensitivity, and rate sensitivity.
+
+You may need to adjust the burst or rate sensitivity of a rule in case of false positives or due to specific traffic patterns.
+
+#### Scope
+
+Advanced TCP Protection rules can have one of the following scopes:
+
+- **Global**: The rule will apply to all incoming packets.
+- **Region**: The rule will apply to incoming packets in a selected region.
+- **Data center**: The rule will apply to incoming packets in the selected Cloudflare data center.
+
+The rule scope allows you to adjust the system's tolerance for out-of-state packets in locations where you may have more or less traffic than usual, or due to any other networking reasons.
+
+Besides defining rules with one of the above scopes, you must also select the [prefixes](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) that you wish to protect with Advanced TCP Protection.
+
+#### Mode
+
+The Advanced TCP Protection system constantly learns your TCP connections to mitigate DDoS attacks. Advanced TCP Protection rules can have one of the following execution modes: monitoring, mitigation (enabled), or disabled.
+
+- **Monitoring**
+  - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration.
+
+- **​​Mitigation (Enabled)**
+  - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist).
+
+- **Disabled**
+  - In this mode, a rule will not evaluate any incoming packets.
+
+#### Burst sensitivity
+
+The burst sensitivity is the rule's sensitivity to short-term bursts in the packet rate:
+
+- A low sensitivity means that bigger spikes in the packet rate may trigger a mitigation action.
+- A high sensitivity means that smaller spikes in the packet rate may trigger a mitigation action.
+
+The default burst sensitivity is _Medium_.
+
+#### Rate sensitivity
+
+The rate sensitivity is the rule's sensitivity to the sustained packet rate:
+
+- A low sensitivity means that higher sustained packet rates can trigger a mitigation action.
+- A high sensitivity means that lower sustained packet rates may trigger a mitigation action. A high sensitivity offers increased protection, but you may get more false positives (that is, mitigated packets that belong to legitimate traffic).
+
+The default rate sensitivity is _Medium_.
+
+#### Profile sensitivity
+
+:::note
+Profile sensitivity is available for [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) only.
+:::
+
+The sensitivity to DNS queries that have not been recently seen.
+
+- A higher sensitivity level means that the mitigation system will begin mitigating faster.
+- A lower sensitivity provides more tolerance for potentially suspicious DNS queries.
+
+The default rate sensitivity is _Medium_.
+
 ## Filter
 
 <Render file="atp-filter-definition" /> The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional.
@@ -70,3 +131,29 @@ When you have both rules and filters configured, the execution mode is determine
    3. Off filter (filter with `disabled` mode)
 2. If no filter matched, use the execution mode determined by existing rules.
 3. If no rules match, disable Advanced TCP Protection.
+
+---
+
+## Mitigation reasons
+
+The Advanced TCP Protection system applies mitigation actions for different reasons based on the connection states. The **Mitigation reason** field shown in the **Advanced TCP Protection** tab of the [Network Analytics](/analytics/network-analytics/) dashboard will contain more information on why a given packet was dropped by the system.
+
+The connection states are the following:
+
+- **New**: A SYN or SYN-ACK packet has been sent to attempt to open a new connection.
+- **Open**: The three-way TCP handshake has been completed and the TCP connection is open.
+- **Closing**: A FIN or FIN-ACK packet has been seen attempting to close a connection.
+- **Closed**: The closing three-way handshake has been completed, or an RST packet has closed the connection.
+
+The mitigation reasons are the following:
+
+| Reason | Description |
+| --- | --- |
+| **Unexpected** | Packet dropped because it was not expected given the current state of the TCP connection it was associated with. |
+| **Challenge needed** | Packet challenged because the system determined that the packet is most likely part of a packet flood. |
+| **Challenge passed** | Packet dropped because it belongs to a solved challenge. |
+| **Not found** | Packet dropped because it is not part of an existing TCP connection and it is not establishing a new connection. |
+| **Out of sequence** | Packet dropped because its properties (for example, TCP flags or sequence numbers) do not match the expected values for the existing connection. |
+| **Already closed** | Packet dropped because it belongs to a connection that is already closed. |
+
+Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing.

src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx

@@ -15,6 +15,10 @@ import { GlossaryTooltip, Render } from "~/components"
 
 Each protection system component (SYN flood protection or out-of-state TCP protection) should have at least one [rule](/ddos-protection/advanced-ddos-systems/concepts/#rule), but filters are optional.
 
+:::note
+Filters only apply to Advanced TCP Protection.
+:::
+
 ## Procedure
 
 To create a [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter) for one of the system components:

src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx

@@ -25,17 +25,6 @@ The [Network Analytics dashboard](/analytics/network-analytics/) will display sy
 
 [Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/#create-an-advanced-dns-protection-rule) to enable Advanced DNS Protection.
 
----
-
-## Troubleshooting
-
-### No data about Advanced DNS Protection in Network Analytics
-
-If you cannot find any data related to Advanced DNS Protection in the **DNS Protection** tab of Network Analytics, it could be because one of these reasons:
-
-- You did not [add your prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) to Advanced L3/4 DDoS Protection.
-- Cloudflare did not enable the Advanced DNS Protection system yet.
-- You do not have any DNS over UDP traffic.
 
 ---
 
@@ -50,11 +39,15 @@ Currently, to disable this data collection you must remove your prefixes either
 
 ---
 
-## Availability
+## Troubleshooting
 
-Advanced DNS Protection is currently available to [Magic Transit](/magic-transit/) customers.
+### No data about Advanced DNS Protection in Network Analytics
 
-Protection for simpler DNS-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/).
+If you cannot find any data related to Advanced DNS Protection in the **DNS Protection** tab of Network Analytics, it could be because one of these reasons:
+
+- You did not [add your prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) to Advanced L3/4 DDoS Protection.
+- Cloudflare did not enable the Advanced DNS Protection system yet.
+- You do not have any DNS over UDP traffic.
 
 ---
 

src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/index.mdx renamed to src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx

@@ -11,6 +11,8 @@ head:
 
 Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods.
 
+## How it works
+
 Advanced TCP Protection can simultaneously protect against different kinds of attacks:
 
 - Pinpointed attacks targeting a specific destination IP/port combination.
@@ -25,32 +27,24 @@ The feature offers two types of protection:
 
 Each protection type is configured independently using rules and (optionally) filters. You should configure at least one rule for each type of protection before enabling Advanced TCP Protection.
 
----
-
-## SYN Flood Protection
+### SYN Flood Protection
 
 This system protects against attacks such as fully randomized SYN and SYN-ACK floods. You should configure at least one SYN flood rule before enabling Advanced TCP Protection.
 
-In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets.
+In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets.
 
-For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/).
+For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings).
 
-## Out-of-state TCP Protection
+### Out-of-state TCP Protection
 
 This system protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. You should configure one out-of-state TCP rule before enabling Advanced TCP Protection.
 
-In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets.
+In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets.
 
-For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/).
+For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings).
 
 ---
 
 ## Setup
 
-[Create a global configuration](/ddos-protection/advanced-ddos-systems/setup/#3-create-a-global-configuration) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection.
-
----
-
-## Availability
-
-Advanced TCP Protection is available to all [Magic Transit](/magic-transit/) customers, and is disabled by default. Protection for simpler TCP-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/).
+[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection.

src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx

@@ -10,26 +10,58 @@ head:
 
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip, Render } from "~/components"
 
-Advanced DDoS Protection systems are configured using the general settings, [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/), and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/).
+The Advanced DDoS Protection system includes [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/). Both systems are configured using the general settings, but also comprise of their own dedicated settings.
+
+Advanced DDoS Protection systems is available to [Magic Transit](/magic-transit/) customers.
+
+Protection for simpler TCP or DNS-based DDoS attacks is included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/).
 
 ## General settings
 
-General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement. To configure the general settings, refer to [Setup](/ddos-protection/advanced-ddos-systems/setup/).
+General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement.
 
 ### Thresholds
 
-Thresholds are based on your network's unique traffic, they define the sensitivity levels, and are configured by Cloudflare.
+Thresholds are based on your network's unique traffic and are configured by Cloudflare. The sensitivity levels manipulate the thresholds.
+
+When you get access to Advanced DDoS Protection systems, there are no configured thresholds in your account.
+
+Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) will be for your specific case.
+
+Ask your Implementation Manager to configure initial threshold values. Separate thresholds need to be configured for Advanced TCP Protection and Advanced DNS Protection.
+
+Once thresholds are configured, the Implementation Manager will let you know that Advanced DDoS Protection systems have been initialized and can be configured and enabled.
 
 ### Prefixes
 
-Add prefixes to instruct the system on which traffic to route through the system.
+The prefixes that you have [onboarded](/magic-transit/how-to/advertise-prefixes/) to and approved by Cloudflare instruct the system on which traffic to route through the system.
+
+[Add the prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/) or a subset of these prefixes.
+
+You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals.
 
 ### Rules
 
-Create rules for the TCP and DNS Protection systems to enable mitigation. Start with Monitoring mode.
+[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/) for Advanced TCP and Advanced DNS Protection (as needed) to enable mitigation. 
+
+You can create a rule for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received <GlossaryTooltip term="data packet">packets</GlossaryTooltip>.
+
+Optionally, you can create [filters](/ddos-protection/advanced-ddos-systems/concepts/#filter) for each protection system component (SYN flood protection and out-of-state TCP protection). <Render file="atp-filter-definition" />
+
+### Prefixes
+
+Optionally, you can [add prefixes to the allowlist](/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/) if your traffic should bypass Advanced DDoS Protection rules.
+
+The <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip> only applies to source IPs — it does not apply to your own IPs or prefixes. You can also [exclude a subset of an onboarded prefix](/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/) from Advanced TCP Protection.
+
+Refer to [Concepts](/ddos-protection/advanced-ddos-systems/concepts/) for more information.
 
 ### Enablement
 
-Enable the Advanced DDoS system and begin routing traffic through it.
+Enable the Advanced DDoS system and begin routing traffic through it.
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
+2. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**.
+3. Under **General settings**, toggle the feature status **On**.