|
| 1 | +--- |
| 2 | +{} |
| 3 | + |
| 4 | +--- |
| 5 | + |
| 6 | +When Cloudflare's DDoS Protection systems detect an attack, mitigations are emitted against it. Each mitigation has a single managed rule from the managed ruleset associated with it. |
| 7 | + |
| 8 | +All mitigations and its associated managed rules are evaluated in order by DDoS Protection systems one by one. |
| 9 | + |
| 10 | +You can create only one override ruleset that can contain one or multiple override rules. An override rule instructs the DDoS Protection system on the action it should take based on its matching managed rule. |
| 11 | + |
| 12 | +For each active mitigation that is linked to a single managed rule, Cloudflare will go through all of the override rules defined in the override ruleset until one matches the managed rule, and apply the action and stop at that point. Otherwise, evaluation will continue in order until a rule matches. |
| 13 | + |
| 14 | +However, within an override rule, specificity matters. If the override rule has the following two elements defined, then DDoS Protection systems will prioritize specificity when evaluating overrides: |
| 15 | + |
| 16 | +- All of the managed rules in the ruleset are set to a specific action. |
| 17 | +- A managed rule within that ruleset is set to a different action from the rest of the rules. |
| 18 | + |
| 19 | +## Examples |
| 20 | + |
| 21 | +### General example |
| 22 | + |
| 23 | +A managed ruleset contains the following managed rules: |
| 24 | + |
| 25 | +- Managed rule 1 |
| 26 | +- Managed rule 2 |
| 27 | +- Managed rule 3 |
| 28 | + |
| 29 | +An override ruleset contains the following override rules: |
| 30 | + |
| 31 | +- Override rule 1 |
| 32 | + - Managed rule 1 is set to `block` |
| 33 | +- Override rule 2 |
| 34 | + - *All managed rules* are set to `challenge` |
| 35 | + - Managed rule 1 is set to `log` |
| 36 | + - Managed rule 2 is set to `log` |
| 37 | +- Override rule 3 |
| 38 | + - Managed rule 3 is set to `log` |
| 39 | + |
| 40 | +If DDoS Protection triggers three mitigations — one linked with an individual managed rule — then the override for each mitigation is evaluated one by one. |
| 41 | + |
| 42 | +**Mitigation 1 linked with managed rule 1** |
| 43 | + |
| 44 | +Since managed rule 1 matches override rule 1, Cloudflare will `block` the attacks and not proceed with the rest of the rules. |
| 45 | + |
| 46 | +**Mitigation 2 linked with managed rule 2** |
| 47 | + |
| 48 | +Since managed rule 2 does not match override rule 1, Cloudflare will proceed to override rule 2. |
| 49 | + |
| 50 | +Override rule 2 matches both *All managed rules* and managed rule 2, but specificity takes precedent. It does not `challenge` as dictated by *All managed rules* and instead proceeds with `log` since it matches the most specific managed rule. |
| 51 | + |
| 52 | +**Mitigation 3 linked with managed rule 3** |
| 53 | + |
| 54 | +Since managed rule 3 does not match override rule 1, Cloudflare will proceed to override rule 2. |
| 55 | + |
| 56 | +Override rule 2 sets *All managed rules* to `challenge`, so Cloudflare challenges the attack and does not proceed to override rule 3. |
| 57 | + |
| 58 | +--- |
| 59 | + |
| 60 | +### Sensitivity example |
| 61 | + |
| 62 | +An additional dimension to take into account is Cloudflare will apply a given Override Rule only if its conditions are met, which includes the Sensitivity level. |
| 63 | + |
| 64 | +While the override rule needs to match and modify the correct managed rule (or all managed rules in the case of mitigation 3 above), it also has to meet the specified Sensitivity level of the rule. |
| 65 | + |
| 66 | +- Override rule 1 |
| 67 | + - All managed rules are set to `challenge` at `low` sensitivity |
| 68 | + |
| 69 | +- Override rule 2 |
| 70 | + - Managed rule 1 is set to `log` at `default` sensitivity. |
| 71 | + |
| 72 | +**Scenario**: You receive a small attack below the threshold for `low` sensitivity, but above the threshold for `high` sensitivity on managed rule 1. |
| 73 | + |
| 74 | +- Override rule 1 does not meet the `low` sensitivity threshold. Therefore, we do not match the override and do not mitigate the attack, but proceed to evaluate the next managed rule in case the override rules instruct DDoS Protection to mitigate. |
| 75 | +- Override rule 2 sets `log` at default visibility, which matches the condition, so the defined action is applied and attack traffic is logged. |
0 commit comments