|
1 | 1 | --- |
2 | | -pcx_content_type: how-to |
3 | | -title: Handle a false negative or an incomplete mitigation |
4 | | -description: Learn how to handle false negatives and incomplete mitigations in Cloudflare DDoS Protection. Adjust rules to ensure effective attack mitigation. |
| 2 | +title: Override examples |
| 3 | +pcx_content_type: reference |
5 | 4 | sidebar: |
6 | | - order: 3 |
7 | | - |
| 5 | + order: 5 |
| 6 | +head: |
| 7 | + - tag: title |
| 8 | + content: Override examples for HTTP DDoS Attack Protection |
8 | 9 | --- |
9 | 10 |
|
10 | 11 | import { Details, GlossaryTooltip } from "~/components" |
11 | 12 |
|
12 | | -## False negatives |
| 13 | +## Use cases |
| 14 | + |
| 15 | +The following scenarios detail how you can make use of override rules as a solution to common HTTP DDoS Protection issues. |
| 16 | + |
| 17 | +### Traffic from your mobile application is blocked by a DDoS Managed Rule |
| 18 | + |
| 19 | +The traffic from your mobile application may have appeared suspicious, causing a DDoS Managed Rule to block it. |
| 20 | + |
| 21 | +You should identify the Managed Rule blocking the traffic and change the sensitivity level to `Medium`. If traffic continues to be blocked by the managed rule, set the sensitivity level to `Low` or `Essentially off`. |
| 22 | + |
| 23 | +If you have access to filter expressions, you can create an override to target the specific affected traffic. |
| 24 | + |
| 25 | + |
| 26 | +### Traffic is flagged by an adaptive rule based on the location and may be an attack |
| 27 | + |
| 28 | +If you recognize that the traffic flagged by an adaptive rule may be considered an attack, you can create an override rule to enable the adaptive rule in mitigation mode to `challenge` (if it is browser traffic) or `block` (for other suspicious traffic). |
| 29 | + |
| 30 | +### An end user is experiencing a false positive |
| 31 | + |
| 32 | +If you observe that one of your end users is experiencing a false positive, you can create an override for the rule that caused the false positive and use the filter expressions to apply it only to the hostname. |
| 33 | + |
| 34 | +[INSERT false-positive.mdx PAGE CONTENT HERE] |
| 35 | + |
| 36 | +### An attack is incorrectly identified as legitimate traffic and causes a false negative |
13 | 37 |
|
14 | 38 | A false negative is a lack of identification. In the case of DDoS protection, there is a false negative when attack traffic is mistakenly classified as legitimate traffic and is not mitigated. This can occur when the attack traffic is not sufficiently high to trigger mitigation actions or if there are no rules matching the attack. |
15 | 39 |
|
|
0 commit comments