diff --git a/public/_redirects b/public/_redirects index 81e69ff47b819f..d2b600653e129c 100644 --- a/public/_redirects +++ b/public/_redirects @@ -303,17 +303,24 @@ # ddos-protection /ddos-protection/change-log/http/2022-09-19-emergency-emergency/ /ddos-protection/change-log/http/2022-09-19-emergency/ /ddos-protection/change-log/http/2022-12-07-emergency-emergency/ /ddos-protection/change-log/http/2022-12-07-emergency/ -/ddos-protection/managed-rulesets/tcp-protection/ /ddos-protection/tcp-protection/ 301 /ddos-protection/managed-rulesets/http/location-aware-protection/ /ddos-protection/managed-rulesets/adaptive-protection/ 301 /ddos-protection/managed-rulesets/network/fields/ /ddos-protection/managed-rulesets/network/override-expressions/ 301 /support/about-cloudflare/attack-preparation-and-response/responding-to-ddos-attacks/ /ddos-protection/best-practices/respond-to-ddos-attacks/ 301 /support/about-cloudflare/attack-preparation-and-response/understanding-cloudflare-ddos-protection/ /ddos-protection/about/ 301 /ddos-protection/change-log/global-changes/ /ddos-protection/change-log/general-updates/ 301 -# Redirect the following pages temporarily (using HTTP 307 Temporary redirect) -/ddos-protection/dns-protection/rule-settings/ /ddos-protection/dns-protection/ 307 -/ddos-protection/dns-protection/api/ /ddos-protection/dns-protection/ 307 -/ddos-protection/dns-protection/api/examples/ /ddos-protection/dns-protection/ 307 -/ddos-protection/dns-protection/api/json-objects/ /ddos-protection/dns-protection/ 307 +/ddos-protection/tcp-protection/api/examples/ /ddos-protection/advanced-ddos-systems/api/tcp-protection/examples/ 301 +/ddos-protection/tcp-protection/api/json-objects/ /ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/ 301 +/ddos-protection/tcp-protection/concepts/ /ddos-protection/advanced-ddos-systems/concepts/ 301 +/ddos-protection/tcp-protection/how-to/add-prefix-allowlist/ /ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/ 301 +/ddos-protection/tcp-protection/how-to/add-prefix/ /ddos-protection/advanced-ddos-systems/how-to/add-prefix/ 301 +/ddos-protection/tcp-protection/how-to/create-filter/ /ddos-protection/advanced-ddos-systems/how-to/create-filter/ 301 +/ddos-protection/tcp-protection/how-to/exclude-prefix/ /ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/ 301 +/ddos-protection/tcp-protection/how-to/ /ddos-protection/advanced-ddos-systems/how-to/ 301 +/ddos-protection/tcp-protection/ /ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/ 301 +/ddos-protection/tcp-protection/mitigation-reasons/ /ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons/ 301 +/ddos-protection/tcp-protection/rule-settings/ /ddos-protection/advanced-ddos-systems/rule-settings/ 301 +/ddos-protection/dns-protection/ /ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/ 301 +/ddos-protection/tcp-protection/api/ /ddos-protection/advanced-ddos-systems/api/ 301 # dmarc-management /dmarc-management/manage-sources/ /dmarc-management/ 301 diff --git a/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx b/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx index a97a5142b24c64..edf0bb7064dd7a 100644 --- a/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx +++ b/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx @@ -113,6 +113,6 @@ The following example queries the top 20 logs of traffic dropped by mitigation s The `mitigationSystem` field can take one the following values: * `dosd` for [DDoS managed rulesets](/ddos-protection/managed-rulesets/) (Network-layer DDoS Attack Protection or HTTP DDoS Attack Protection). -* `flowtrackd` for [Advanced TCP Protection](/ddos-protection/tcp-protection/). +* `flowtrackd` for [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/). * `magic-firewall` for [Magic Firewall](/magic-firewall/). * Empty string for unmitigated traffic. diff --git a/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx b/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx index c9923463e19499..f8b6ad9333466f 100644 --- a/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx +++ b/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx @@ -25,8 +25,8 @@ The following table contains a summary of what is shown in each tab: | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | | **All traffic** | Traffic dropped by DDoS managed rules, Advanced TCP Protection, Advanced DNS Protection, and Magic Firewall, and traffic passed to the origin server. | Traffic dropped and passed by DDoS managed rules. | | **DDoS managed
rules** | Traffic dropped and passed by [DDoS managed rules](/ddos-protection/managed-rulesets/). | Traffic dropped and passed by [DDoS managed rules](/ddos-protection/managed-rulesets/). | -| **TCP
Protection** | Traffic dropped and passed by the [Advanced TCP Protection](/ddos-protection/tcp-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | -| **DNS
Protection** | Traffic dropped and passed by the [Advanced DNS Protection](/ddos-protection/dns-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | +| **TCP
Protection** | Traffic dropped and passed by the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | +| **DNS
Protection** | Traffic dropped and passed by the [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | | **Magic Firewall** | Traffic dropped by [Magic Firewall](/magic-firewall/) and traffic passed to the origin server. Does not include traffic dropped by DDoS managed rules, Advanced TCP Protection, or Advanced DNS Protection. | N/A | diff --git a/src/content/docs/ddos-protection/about/attack-coverage.mdx b/src/content/docs/ddos-protection/about/attack-coverage.mdx index 450f311ea1aa69..eedb96b15856fb 100644 --- a/src/content/docs/ddos-protection/about/attack-coverage.mdx +++ b/src/content/docs/ddos-protection/about/attack-coverage.mdx @@ -14,7 +14,7 @@ import { GlossaryTooltip, InlineBadge, Render } from "~/components" The [DDoS Attack Protection managed rulesets](/ddos-protection/managed-rulesets/) provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these managed rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations. -[Advanced TCP Protection](/ddos-protection/tcp-protection/) and [Advanced DNS Protection](/ddos-protection/dns-protection/), available to [Magic Transit](/magic-transit/) customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively. +[Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/), available to [Magic Transit](/magic-transit/) customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively. As a general guideline, various Cloudflare products operate on different open systems interconnection (OSI) layers and you are protected up to the layer on which your service operates. You can customize the DDoS settings on the layer in which you onboarded. For example, since the CDN/WAF service is a Layer 7 (HTTP/HTTPS) service, Cloudflare provides protection from DDoS attacks on L7 downwards, including L3/4 attacks. @@ -31,7 +31,7 @@ The following table includes a sample of covered attack vectors: The Network-layer DDoS Attack Protection managed ruleset provides protection against some types of DNS attacks. -Magic Transit customers have access to [Advanced DNS Protection](/ddos-protection/dns-protection/) . Other customers might consider the following options: +Magic Transit customers have access to [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) . Other customers might consider the following options: - Use Cloudflare as your authoritative DNS provider ([primary DNS](/dns/zone-setups/full-setup/) or [secondary DNS](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/)). - If you are running your own nameservers, use [DNS Firewall](/dns/dns-firewall/) to get additional protection against DNS attacks like random prefix attacks. diff --git a/src/content/docs/ddos-protection/about/components.mdx b/src/content/docs/ddos-protection/about/components.mdx index 01cd2d86171a93..f22e1e997f447d 100644 --- a/src/content/docs/ddos-protection/about/components.mdx +++ b/src/content/docs/ddos-protection/about/components.mdx @@ -14,7 +14,7 @@ import { GlossaryTooltip } from "~/components" The Cloudflare Autonomous Edge is powered by the denial-of-service daemon (`dosd`), which is a home-grown software-defined system. A `dosd` instance runs in every single server in every one of [Cloudflare global network's data centers](https://www.cloudflare.com/network/) around the world. These `dosd` instances can detect and mitigate DDoS attacks autonomously without requiring centralized consensus. Cloudflare users can configure this system through [DDoS Attack Protection managed rulesets](/ddos-protection/managed-rulesets/). -Another component of Cloudflare’s Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection. +Another component of Cloudflare’s Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection. For more information, refer to our blog post [A deep-dive into Cloudflare’s autonomous edge DDoS protection](https://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/). diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/examples.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/examples.mdx new file mode 100644 index 00000000000000..7d232c46ae3e51 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/examples.mdx @@ -0,0 +1,117 @@ +--- +title: Common API calls +pcx_content_type: configuration +sidebar: + order: 2 + +--- + +The following sections contain example requests for common API calls. For a list of available API endpoints, refer to [Endpoints](/ddos-protection/advanced-ddos-systems/api/dns-protection/#endpoints). + +## Get all DNS protection rules + +The following example retrieves the currently configured rules for Advanced DNS Protection. + +```bash +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules" \ +--header "Authorization: Bearer " +``` + +```json title="Example response" +--- +{ + "result": [ + { + "id": "", + "scope": "", + "name": "", + "mode": "", + "profile_sensitivity": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00", + } + ], + "success": true, + "errors": [], + "messages": [] +} +``` + +### Create DNS protection rule + +The following example creates an Advanced DNS Protection rule with a global scope. + +```bash +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules" \ +--header "Authorization: Bearer " \ +--data '{ + "scope": "global", + "name": "global", + "mode": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "profile_sensitivity": "" +}' +``` + +```json title="Example response" +{ + "result": { + "id": "", + "scope": "global", + "name": "global", + "mode": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "profile_sensitivity": "", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00", + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects/) for more information on the fields in the JSON body. + +### Update DNS protection rule + +The following example updates an existing DNS protection rule with ID `{rule_id}`. + +The request body can contain only the fields you want to update (from `mode`, `profile_sensitivity`, `rate_sensitivity`, and `burst_sensitivity`). + +```bash +curl --request PATCH \ +"https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}" \ +--header "Authorization: Bearer " \ +--data '{ + "mode": "", + "profile_sensitivity": "", + "rate_sensitivity": "", + "burst_sensitivity": "" +}' +``` + +```json title="Example response" +{ + "result": { + "id": "", + "scope": "", + "name": "", + "mode": "", + "profile_sensitivity": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00", + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects/) for more information on the fields in the JSON body. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx new file mode 100644 index 00000000000000..cda587b4ca0328 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx @@ -0,0 +1,36 @@ +--- +pcx_content_type: how-to +title: Advanced DNS Protection +sidebar: + order: 4 + label: Configure via the API +head: + - tag: title + content: Configure Advanced DNS Protection via API + +--- + +Use the [Cloudflare API](/api/) to configure Advanced DNS Protection via API. + +For examples of API calls, refer to [Common API calls](/ddos-protection/advanced-ddos-systems/api/dns-protection/examples/). + +## Endpoints + +To obtain the complete endpoint, append the Advanced DNS Protection API endpoints listed below to the Cloudflare API base URL: + +```txt +https://api.cloudflare.com/client/v4 +``` + +The `{account_id}` argument is the [account ID](/fundamentals/setup/find-account-and-zone-ids/) (a hexadecimal string). You can find this value in the Cloudflare dashboard. + +The following table summarizes the available operations. + +| Operation | Verb + Endpoint | +| --- | --- | +| List DNS protection rules |

`GET accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`

Fetches all DNS protection rules in the account. | +| Add a DNS protection rule |

`POST accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`

Adds a DNS protection rule to the account. | +| Get a DNS protection rule |

`GET accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`

Fetches the details of an existing DNS protection rule in the account. | +| Update a DNS protection rule |

`PATCH accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`

Updates an existing DNS protection rule in the account. | +| Delete a DNS protection rule |

`DELETE accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`

Deletes an existing DNS protection rule from the account. | +| Delete all DNS protection rules |

`DELETE accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`

Deletes all existing DNS protection rules from the account. | \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx new file mode 100644 index 00000000000000..cf71ecbb747b80 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx @@ -0,0 +1,38 @@ +--- +title: JSON objects +pcx_content_type: reference +sidebar: + order: 3 +head: + - tag: title + content: Advanced TCP Protection API - JSON objects + +--- + +# JSON object + +This page contains an example of the DNS protection rule JSON object used in the API. + +```json +{ + "id": "31c70c65-9f81-4669-94ed-1e1e041e7b06", + "scope": "region", + "name": "WEUR", + "mode": "monitoring", + "profile_sensitivity": "medium", + "rate_sensitivity": "medium", + "burst_sensitivity": "medium", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00" +} +``` + +The `scope` field value must be one of `global`, `region`, or `datacenter`. You must provide a region code (or data center code) in the `name` field when specifying a `region` (or `datacenter`) scope. + +The `mode` value must be one of `enabled`, `disabled`, or `monitoring`. + +The `profile_sensitivity` field value must be one of `low` (default), `medium`, `high`, or `very_high`. + +The `rate_sensitivity` and `burst_sensitivity` field values must be one of `low`, `medium`, or `high`. + +For more information on the rule settings, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings). \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx new file mode 100644 index 00000000000000..cb1ae99f7b9420 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx @@ -0,0 +1,18 @@ +--- +title: API configuration +pcx_content_type: overview +sidebar: + order: 4 + group: + hideIndex: true +head: + - tag: title + content: Configure Advanced TCP Protection and Advanced DNS Protection via the API + +--- + +import { DirectoryListing } from "~/components" + +Refer to the following pages to configure Advanced TCP Protection and Advanced DNS Protection via the API. + + diff --git a/src/content/docs/ddos-protection/tcp-protection/api/examples.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx similarity index 84% rename from src/content/docs/ddos-protection/tcp-protection/api/examples.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx index 07335381291ac1..5bf49a76f54a19 100644 --- a/src/content/docs/ddos-protection/tcp-protection/api/examples.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx @@ -6,7 +6,7 @@ sidebar: --- -The following sections contain example requests for common API calls. For a list of available API endpoints, refer to [Endpoints](/ddos-protection/tcp-protection/api/#endpoints). +The following sections contain example requests for common API calls. For a list of available API endpoints, refer to [Endpoints](/ddos-protection/advanced-ddos-systems/api/tcp-protection/#endpoints). ## Get Advanced TCP Protection status @@ -17,7 +17,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t --header "Authorization: Bearer " ``` -```json title="Response" +```json title="Example response" { "result": { "enabled": false @@ -51,7 +51,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t --header "Authorization: Bearer " ``` -```json title="Response" +```json title="Example response" { "result": [ { @@ -88,7 +88,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t ]' ``` -```json title="Response" +```json title="Example response" { "result": [ { @@ -123,7 +123,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t --header "Authorization: Bearer " ``` -```json title="Response" +```json title="Example response" { "result": [ { @@ -156,7 +156,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -189,7 +189,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -207,7 +207,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. ## Create an out-of-state TCP rule @@ -226,7 +226,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -244,11 +244,11 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. ## Create a SYN flood filter -This example `POST` request creates a SYN flood [filter](/ddos-protection/tcp-protection/concepts/#filter), setting SYN flood protection to monitoring mode for a specific range of destination IP addresses. +This example `POST` request creates a SYN flood [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter), setting SYN flood protection to monitoring mode for a specific range of destination IP addresses. ```bash title="Request" curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters \ @@ -260,7 +260,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -275,11 +275,11 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. ## Create an out-of-state TCP filter -This example `POST` request creates an out-of-state TCP [filter](/ddos-protection/tcp-protection/concepts/#filter), disabling out-of-state TCP protection for a specific range of destination IP addresses and ports. +This example `POST` request creates an out-of-state TCP [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter), disabling out-of-state TCP protection for a specific range of destination IP addresses and ports. ```bash title="Request" curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters \ @@ -291,7 +291,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -306,4 +306,4 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx new file mode 100644 index 00000000000000..6c8645c201cdc0 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx @@ -0,0 +1,112 @@ +--- +pcx_content_type: how-to +title: Advanced TCP Protection +sidebar: + order: 4 + label: Configure via the API +head: + - tag: title + content: Configure Advanced TCP Protection via API + +--- + +You can configure Advanced TCP Protection using the Advanced TCP Protection API. + +The Advanced TCP Protection API only supports [API token authentication](/fundamentals/api/get-started/create-token/). + +For examples of API calls, refer to [Common API calls](/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples/). + +## Endpoints + +To obtain the complete endpoint, append the Advanced TCP Protection API endpoints listed below to the Cloudflare API base URL. + +The Cloudflare API base URL is: + +```txt +https://api.cloudflare.com/client/v4 +``` + +The `{account_id}` argument is the account ID (a hexadecimal string). You can find this value in the Cloudflare dashboard. + +The tables in the following sections summarize the available operations. + +### General operations + +| Operation | Method and endpoint / Description | +| --- | --- | +| Get Advanced TCP Protection status |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Gets the global Advanced TCP Protection status (enabled or disabled). | +| Update Advanced TCP Protection status |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Enables or disables Advanced TCP Protection. | + +### Prefix operations + +| Operation | Method and endpoint / Description | +| --- | --- | +| List prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Fetches all Advanced TCP Protection prefixes in the account. | +| Add prefixes in bulk |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/bulk`

Adds prefixes in bulk to the account (up to 300 prefixes per request). | +| Get a prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Fetches the details of an existing prefix. | +| Update a prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Updates an existing prefix. | +| Delete a prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Deletes an existing prefix. | +| Delete all prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Deletes all existing prefixes from the account. | + +### Allowlist operations + +| Operation | Method and endpoint / Description | +| --- | --- | +| List allowlisted prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Fetches all prefixes in the account allowlist. | +| Add an allowlisted prefix |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Adds a prefix to the allowlist. | +| Get an allowlisted prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Fetches the details of an existing prefix in the allowlist. | +| Update an allowlisted prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Updates an existing prefix in the allowlist. | +| Delete an allowlisted prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Deletes an existing prefix from the allowlist. | +| Delete all allowlisted prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Deletes all existing prefixes from the allowlist. | + +### SYN Flood Protection operations + +#### Rules + +| Operation | Method and endpoint / Description | +| --- | --- | +| List SYN flood rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Fetches all SYN flood rules in the account. | +| Add a SYN flood rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Adds a SYN flood rule to the account. | +| Get a SYN flood rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Fetches the details of an existing SYN flood rule in the account. | +| Update a SYN flood rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Updates an existing SYN flood rule in the account. | +| Delete a SYN flood rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Deletes an existing SYN flood rule from the account. | +| Delete all SYN flood rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Deletes all existing SYN flood rules from the account. | + +#### Filters + +| Operation | Method and endpoint / Description | +| --- | --- | +| List SYN flood filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Fetches all SYN flood filters in the account. | +| Add a SYN flood filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Adds a SYN flood filter to the account. | +| Get a SYN flood filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Fetches the details of an existing SYN flood filter in the account. | +| Update a SYN flood filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Updates an existing SYN flood filter in the account. | +| Delete a SYN flood filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Deletes an existing SYN flood filter from the account. | +| Delete all SYN flood filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Deletes all existing SYN flood filters from the account. | + +### Out-of-state TCP Protection operations + +#### Rules + +| Operation | Method and endpoint / Description | +| --- | --- | +| List out-of-state TCP rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Fetches all out-of-state TCP rules in the account. | +| Add an out-of-state TCP rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Adds an out-of-state TCP rule to the account. | +| Get an out-of-state TCP rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Fetches the details of an existing out-of-state TCP rule in the account. | +| Update an out-of-state TCP rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Updates an existing out-of-state TCP rule in the account. | +| Delete an out-of-state TCP rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Deletes an existing out-of-state TCP rule from the account. | +| Delete all out-of-state TCP rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Deletes all existing out-of-state TCP rules from the account. | + +#### Filters + +| Operation | Method and endpoint / Description | +| --- | --- | +| List out-of-state TCP filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Fetches all out-of-state TCP filters in the account. | +| Add an out-of-state TCP filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Adds an out-of-state TCP filter to the account. | +| Get an out-of-state TCP filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Fetches the details of an existing out-of-state TCP filter in the account. | +| Update an out-of-state TCP filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Updates an existing out-of-state TCP filter in the account. | +| Delete an out-of-state TCP filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Deletes an existing out-of-state TCP filter from the account. | +| Delete all out-of-state TCP filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Deletes all existing out-of-state TCP filters from the account. | + +## Pagination + +The API operations that return a list of items use pagination. For more information on the available pagination query parameters, refer to [Pagination](/fundamentals/api/how-to/make-api-calls/#pagination). \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/api/json-objects.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx similarity index 95% rename from src/content/docs/ddos-protection/tcp-protection/api/json-objects.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx index d00337e17d08f7..ed617590ffb775 100644 --- a/src/content/docs/ddos-protection/tcp-protection/api/json-objects.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx @@ -9,7 +9,7 @@ head: --- -This page contains examples of the JSON objects used in the API. +This page contains an example of the TCP protection rule JSON object used in the API. ## Prefix @@ -81,4 +81,4 @@ The `expression` field is a [Rules language expression](/ruleset-engine/rules-la Expressions of SYN flood protection and out-of-state TCP protection filters do not currently support functions. ::: -The `mode` value must be one of `enabled`, `disabled`, or `monitoring`. +The `mode` value must be one of `enabled`, `disabled`, or `monitoring`. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx new file mode 100644 index 00000000000000..e0e30442b6e7f7 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx @@ -0,0 +1,159 @@ +--- +title: Concepts +pcx_content_type: concept +sidebar: + order: 2 +head: + - tag: title + content: Create an Advanced TCP Protection filter + +--- + +import { GlossaryTooltip, Render } from "~/components" + +## Prefixes + +Advanced DDoS Protection protects the IP prefixes you select from sophisticated DDoS attacks. A prefix can be an IP address or an IP range in CIDR format. You must add prefixes to Advanced DDoS Protection so that Cloudflare can analyze incoming packets and offer protection against sophisticated TCP DDoS attacks. + +Prefixes added to Advanced DDoS Protection must be one of the following: + +- A prefix [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/). +- A subset of a prefix [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/). + +You cannot add a prefix (or a subset of a prefix) that you have not onboarded to Magic Transit or whose status is still _Unapproved_. Contact your account team to get help with prefix approvals. + +## Allowlist + +The Advanced DDoS Protection allowlist is a list of prefixes that will bypass all configured Advanced DDoS Protection rules. + +For example, you could add prefixes used only by partners of your company to the allowlist so that they are exempt from packet inspection and mitigation actions performed by Advanced DDoS Protection. + + + +## Rule + +A rule configures Advanced DDoS Protection for a given [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope), according to several [settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings): execution mode, burst sensitivity, and rate sensitivity. + +Each system component (SYN flood protection and out-of-state TCP protection) has its own list of rules, and it should have at least one rule. + +### Rule settings +Each rule type has the following settings: scope, mode, burst sensitivity, and rate sensitivity. + +You may need to adjust the burst or rate sensitivity of a rule in case of false positives or due to specific traffic patterns. + +#### Scope + +Advanced TCP Protection rules can have one of the following scopes: + +- **Global**: The rule will apply to all incoming packets. +- **Region**: The rule will apply to incoming packets in a selected region. +- **Data center**: The rule will apply to incoming packets in the selected Cloudflare data center. + +The rule scope allows you to adjust the system's tolerance for out-of-state packets in locations where you may have more or less traffic than usual, or due to any other networking reasons. + +Besides defining rules with one of the above scopes, you must also select the [prefixes](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) that you wish to protect with Advanced TCP Protection. + +#### Mode + +The Advanced TCP Protection system constantly learns your TCP connections to mitigate DDoS attacks. Advanced TCP Protection rules can have one of the following execution modes: monitoring, mitigation (enabled), or disabled. + +- **Monitoring** + - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. + +- **​​Mitigation (Enabled)** + - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist). + +- **Disabled** + - In this mode, a rule will not evaluate any incoming packets. + +#### Burst sensitivity + +The burst sensitivity is the rule's sensitivity to short-term bursts in the packet rate: + +- A low sensitivity means that bigger spikes in the packet rate may trigger a mitigation action. +- A high sensitivity means that smaller spikes in the packet rate may trigger a mitigation action. + +The default burst sensitivity is _Medium_. + +#### Rate sensitivity + +The rate sensitivity is the rule's sensitivity to the sustained packet rate: + +- A low sensitivity means that higher sustained packet rates can trigger a mitigation action. +- A high sensitivity means that lower sustained packet rates may trigger a mitigation action. A high sensitivity offers increased protection, but you may get more false positives (that is, mitigated packets that belong to legitimate traffic). + +The default rate sensitivity is _Medium_. + +#### Profile sensitivity + +:::note +Profile sensitivity is available for [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) only. +::: + +The sensitivity to DNS queries that have not been recently seen. + +- A higher sensitivity level means that the mitigation system will begin mitigating faster. +- A lower sensitivity provides more tolerance for potentially suspicious DNS queries. + +The default rate sensitivity is _Medium_. + +## Filter + + The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional. + +Each system component has its own filters. You can configure a filter for each execution mode: + +- **Mitigation Filter**: The system will drop packets matching the filter expression. +- **Monitoring Filter**: The system will log packets matching the filter expression. +- **Off Filter**: The system will ignore packets matching the filter expression. + +When there is a match, a filter will alter the execution mode for all configured rules in a given system component (SYN flood protection or out-of-state TCP protection), including disabled rules. + +For instructions on creating filters in the Cloudflare dashboard, refer to [Create a filter](/ddos-protection/advanced-ddos-systems/how-to/create-filter/). For API examples, refer to [Common API calls](/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples/). + +### Example use case + +You can create a monitor filter for a new prefix that you are onboarding by using the expression to match against the prefix. + +Your already onboarded prefixes can remain protected with one or more configured rules in mitigation mode. + +When onboarding a new prefix, you would configure a monitoring filter for this prefix and then add it to Advanced TCP Protection. + +--- + +## Determining the execution mode + +When you have both rules and filters configured, the execution mode is determined according to the following: + +1. If there is a match for one of the configured filters, use the filter's execution mode. The filter evaluation order is based on their mode, in the following order: + 1. Mitigation filter (filter with `enabled` mode) + 2. Monitoring filter (filter with `monitoring` mode) + 3. Off filter (filter with `disabled` mode) +2. If no filter matched, use the execution mode determined by existing rules. +3. If no rules match, disable Advanced TCP Protection. + +--- + +## Mitigation reasons + +The Advanced TCP Protection system applies mitigation actions for different reasons based on the connection states. The **Mitigation reason** field shown in the **Advanced TCP Protection** tab of the [Network Analytics](/analytics/network-analytics/) dashboard will contain more information on why a given packet was dropped by the system. + +The connection states are the following: + +- **New**: A SYN or SYN-ACK packet has been sent to attempt to open a new connection. +- **Open**: The three-way TCP handshake has been completed and the TCP connection is open. +- **Closing**: A FIN or FIN-ACK packet has been seen attempting to close a connection. +- **Closed**: The closing three-way handshake has been completed, or an RST packet has closed the connection. + +The mitigation reasons are the following: + +| Reason | Description | +| --- | --- | +| **Unexpected** | Packet dropped because it was not expected given the current state of the TCP connection it was associated with. | +| **Challenge needed** | Packet challenged because the system determined that the packet is most likely part of a packet flood. | +| **Challenge passed** | Packet dropped because it belongs to a solved challenge. | +| **Not found** | Packet dropped because it is not part of an existing TCP connection and it is not establishing a new connection. | +| **Out of sequence** | Packet dropped because its properties (for example, TCP flags or sequence numbers) do not match the expected values for the existing connection. | +| **Already closed** | Packet dropped because it belongs to a connection that is already closed. | + +Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix-allowlist.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx similarity index 68% rename from src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix-allowlist.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx index cb0dce8ca40a77..aa3bd694a38a52 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix-allowlist.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx @@ -2,16 +2,16 @@ title: Add an IP or prefix to the allowlist pcx_content_type: how-to sidebar: - order: 4 + order: 2 head: - tag: title - content: Add an IP address/prefix to the Advanced TCP Protection allowlist + content: Add an IP address/prefix to the Advanced DDoS Protection allowlist --- import { Render } from "~/components" -To add an IP address or prefix to the Advanced TCP Protection [allowlist](/ddos-protection/tcp-protection/concepts/#allowlist): +To add an IP address or prefix to the Advanced DDoS Protection [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist): 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. Go to **L3/4 DDoS** > **Advanced Protection**. @@ -20,4 +20,4 @@ To add an IP address or prefix to the Advanced TCP Protection [allowlist](/ddos- 5. To exclude the current prefix from the allowlist instead of including it, uncheck the **Enabled** checkbox. 6. Select **Add**. - + \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx similarity index 66% rename from src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx index eb36505a4b7423..346a31e4ff7a68 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx @@ -2,14 +2,14 @@ title: Add a prefix pcx_content_type: how-to sidebar: - order: 2 + order: 1 head: - tag: title - content: Add a prefix to Advanced TCP Protection + content: Add a prefix to Advanced DDoS Protection --- -To add a [prefix](/ddos-protection/tcp-protection/concepts/#prefixes) to Advanced TCP Protection: +To add a [prefix](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) to Advanced DDoS Protection: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. Go to **L3/4 DDoS** > **Advanced Protection**. @@ -19,5 +19,5 @@ To add a [prefix](/ddos-protection/tcp-protection/concepts/#prefixes) to Advance :::note[Note] -The **Add existing prefix** list will not display leased prefixes, but you can add them manually in the Cloudflare dashboard or [using the API](/ddos-protection/tcp-protection/api/). You cannot add [delegated prefixes](/byoip/concepts/prefix-delegations/) to Advanced TCP Protection. -::: +The **Add existing prefix** list will not display leased prefixes, but you can add them manually in the Cloudflare dashboard or [using the API](/ddos-protection/advanced-ddos-systems/api/). You cannot add [delegated prefixes](/byoip/concepts/prefix-delegations/) to Advanced TCP Protection. +::: \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/create-filter.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx similarity index 83% rename from src/content/docs/ddos-protection/tcp-protection/how-to/create-filter.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx index 97e165775c62da..4ddb495acb35fd 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/create-filter.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx @@ -2,7 +2,7 @@ title: Create a filter pcx_content_type: how-to sidebar: - order: 5 + order: 4 head: - tag: title content: Create a filter for Advanced TCP Protection @@ -13,11 +13,15 @@ import { GlossaryTooltip, Render } from "~/components" -Each protection system component (SYN flood protection or out-of-state TCP protection) should have at least one [rule](/ddos-protection/tcp-protection/concepts/#rule), but filters are optional. +Each protection system component (SYN flood protection or out-of-state TCP protection) should have at least one [rule](/ddos-protection/advanced-ddos-systems/concepts/#rule), but filters are optional. + +:::note +Filters only apply to Advanced TCP Protection. +::: ## Procedure -To create a [filter](/ddos-protection/tcp-protection/concepts/#filter) for one of the system components: +To create a [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter) for one of the system components: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. Go to **L3/4 DDoS** > **Advanced Protection** > **Advanced TCP Protection**. @@ -28,4 +32,4 @@ To create a [filter](/ddos-protection/tcp-protection/concepts/#filter) for one o 4. Under **When incoming packets match**, define a filter expression using the Expression Builder (specifying one or more values for **Field**, **Operator**, and **Value**), or manually enter an expression using the Expression Editor. For more information, refer to [Edit rule expressions](/ruleset-engine/rules-language/expressions/edit-expressions/). 5. Select **Save**. - + \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx new file mode 100644 index 00000000000000..28250ee360ef5b --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx @@ -0,0 +1,47 @@ +--- +title: Create a rule +pcx_content_type: how-to +sidebar: + order: 3 +head: + - tag: title + content: Create an Advanced DDoS Protection rule + +--- + +import { Render } from "~/components" + +## Create an Advanced TCP Protection rule + +To create a [SYN flood rule](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#syn-flood-protection) or an [out-of-state TCP](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#out-of-state-tcp-protection) rule: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. Go to **L3/4 DDoS** > **Advanced Protection** > **Advanced TCP Protection**. +3. Depending on the rule you are creating, do one of the following: + + - Under **SYN Flood Protection**, select **Create SYN flood rule**. + - Under **Out-of-state TCP Protection**, select **Create out-of-state TCP rule**. + +4. In **Mode**, select a [mode](/ddos-protection/advanced-ddos-systems/concepts/#mode) for the rule. +5. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope) for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center. +6. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) and [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) of the rule (by default, _Medium_). The sensitivity levels are based on the initially configured thresholds for your specific case. +7. Select **Deploy**. + + + +## Create an Advanced DNS Protection rule + +1. Contact your account team to enable Advanced DNS Protection and make the initial configuration. The initial thresholds are based on your network’s individual behavior. +2. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. +3. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. +4. Add the prefixes you wish to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action. + :::note + + Currently, the list of onboarded prefixes is shared with Advanced TCP Protection. Any onboarded prefixes will be subject to both Advanced TCP Protection and Advanced DNS Protection, assuming that your account team has done the initial configuration of both systems. However, you can leave Advanced TCP Protection in monitoring mode. + ::: +5. Go to **Advanced DNS Protection**. +6. Select **Create Advanced DNS Protection rule**. +7. In **Mode**, select a mode for the rule. +8. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope) to determine the range of packets that will be affected by the rule. +9. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity), [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity), and [profile sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#profile-sensitivity) to determine when to initiate mitigation. +10. Select **Deploy**. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx new file mode 100644 index 00000000000000..0800eea999fd94 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx @@ -0,0 +1,20 @@ +--- +title: Exclude a prefix +pcx_content_type: how-to +sidebar: + order: 5 + +--- + +To exclude a prefix or a prefix subset from Advanced DDoS Protection: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. Go to **L3/4 DDoS** > **Advanced Protection**. +3. [Add the prefix](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you previously onboarded to Magic Transit to Advanced TCP Protection. +4. [Add the prefix](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) (or subset) you wish to exclude as a new, separate prefix in Advanced TCP Protection. +5. For the prefix you added in the previous step, select **Exclude Subset** in the **Enrolled Prefixes** list. + +:::note + +Prefixes or subsets added as _Excluded_ will not be protected by Advanced TCP Protection. +::: \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx similarity index 79% rename from src/content/docs/ddos-protection/tcp-protection/how-to/index.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx index 1aae405d9758c3..6b52c8214c29bc 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx @@ -2,7 +2,9 @@ title: How to pcx_content_type: navigation sidebar: - order: 4 + order: 3 + group: + hideIndex: true head: - tag: title content: How-to guides @@ -12,4 +14,4 @@ description: How-to guides for configuring Advanced TCP Protection. import { DirectoryListing } from "~/components" - + \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/index.mdx new file mode 100644 index 00000000000000..168a861df4bc60 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/index.mdx @@ -0,0 +1,10 @@ +--- +title: Advanced DDoS systems +pcx_content_type: overview +sidebar: + group: + hideIndex: true + order: 6 + + +--- diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx new file mode 100644 index 00000000000000..7eca38bba9ebaa --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx @@ -0,0 +1,58 @@ +--- +title: Advanced DNS Protection +pcx_content_type: concept +sidebar: + order: 3 +head: + - tag: title + content: Cloudflare Advanced DNS Protection + +--- + +Cloudflare's Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/). + +## How it works + +Cloudflare's Advanced DNS Protection works by first learning your traffic patterns and forming a baseline of the type of DNS queries you normally receive. Later, the system will be able to distinguish between legitimate and malicious queries, protecting your DNS infrastructure without impacting legitimate traffic. + +Currently, the protection system only analyzes DNS over UDP (it does not include DNS over TCP). + +The [Network Analytics dashboard](/analytics/network-analytics/) will display system-specific analytics for Advanced DNS Protection in the **DNS protection** tab, including the queried domains and record types. + +--- + +## Setup + +[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/#create-an-advanced-dns-protection-rule) to enable Advanced DNS Protection. + + +--- + +## Data collection + +Cloudflare collects DNS-related data such as query type (for example, `A` record) and the queried domains. For details, refer to [Data collection](/analytics/network-analytics/reference/data-collection/). + +:::caution + +Currently, to disable this data collection you must remove your prefixes either in the Cloudflare dashboard or through the [Delete a prefix](/ddos-protection/advanced-ddos-systems/api/tcp-protection/#prefix-operations) API operation. However, this procedure will remove the prefixes from both Advanced DNS Protection and [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/). +::: + +--- + +## Troubleshooting + +### No data about Advanced DNS Protection in Network Analytics + +If you cannot find any data related to Advanced DNS Protection in the **DNS Protection** tab of Network Analytics, it could be because one of these reasons: + +- You did not [add your prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) to Advanced L3/4 DDoS Protection. +- Cloudflare did not enable the Advanced DNS Protection system yet. +- You do not have any DNS over UDP traffic. + +--- + +## Related products + +Advanced DNS Protection can protect you against volumetric DNS DDoS attacks. To perform DNS caching, proxying, and configuration, use the [Cloudflare DNS Firewall](/dns/dns-firewall/). + +Currently, Advanced DNS Protection is not available for DNS Firewall. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx similarity index 51% rename from src/content/docs/ddos-protection/tcp-protection/index.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx index a8351a13c3db1c..e1658f36bc8cd3 100644 --- a/src/content/docs/ddos-protection/tcp-protection/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx @@ -2,14 +2,16 @@ title: Advanced TCP Protection pcx_content_type: concept sidebar: - order: 6 + order: 2 head: - tag: title content: Cloudflare Advanced TCP Protection --- -Cloudflare Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. +Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. + +## How it works Advanced TCP Protection can simultaneously protect against different kinds of attacks: @@ -18,35 +20,31 @@ Advanced TCP Protection can simultaneously protect against different kinds of at Advanced TCP Protection can track TCP connections even when they move between Cloudflare data centers. -## Availability - -Advanced TCP Protection is available to all [Magic Transit](/magic-transit/) customers, and is disabled by default. Protection for simpler TCP-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). - -## Get started - -To get started with Advanced TCP Protection, refer to [Setup](/ddos-protection/tcp-protection/setup/). - ---- +The feature offers two types of protection: -Advanced TCP Protection offers two types of protection: - -- [SYN Flood Protection](#syn-flood-protection): Protects against attacks such as fully randomized SYN and SYN-ACK floods. -- [Out-of-state TCP Protection](#out-of-state-tcp-protection): Protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. +- [SYN Flood Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#syn-flood-protection): Protects against attacks such as fully randomized SYN and SYN-ACK floods. +- [Out-of-state TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#out-of-state-tcp-protection): Protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. Each protection type is configured independently using rules and (optionally) filters. You should configure at least one rule for each type of protection before enabling Advanced TCP Protection. -## SYN Flood Protection +### SYN Flood Protection This system protects against attacks such as fully randomized SYN and SYN-ACK floods. You should configure at least one SYN flood rule before enabling Advanced TCP Protection. -In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets. +In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets. -For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/tcp-protection/rule-settings/). +For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings). -## Out-of-state TCP Protection +### Out-of-state TCP Protection This system protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. You should configure one out-of-state TCP rule before enabling Advanced TCP Protection. -In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets. +In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets. + +For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings). + +--- + +## Setup -For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/tcp-protection/rule-settings/). +[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx new file mode 100644 index 00000000000000..ad30f7a3f41447 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx @@ -0,0 +1,67 @@ +--- +title: Overview +pcx_content_type: overview +sidebar: + order: 1 + label: General settings +head: + - tag: title + content: Advanced DDoS Protection systems + +--- + +import { GlossaryTooltip, Render } from "~/components" + +The Advanced DDoS Protection system includes [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/). Both systems are configured using the general settings, but also comprise of their own dedicated settings. + +Advanced DDoS Protection systems is available to [Magic Transit](/magic-transit/) customers. + +Protection for simpler TCP or DNS-based DDoS attacks is included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). + +## General settings + +General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement. + +### Thresholds + +Thresholds are based on your network's unique traffic and are configured by Cloudflare. The sensitivity levels manipulate the thresholds. + +When you get access to Advanced DDoS Protection systems, there are no configured thresholds in your account. + +Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) will be for your specific case. + +Ask your Implementation Manager to configure initial threshold values. Separate thresholds need to be configured for Advanced TCP Protection and Advanced DNS Protection. + +Once thresholds are configured, the Implementation Manager will let you know that Advanced DDoS Protection systems have been initialized and can be configured and enabled. + +### Prefixes + +The prefixes that you have [onboarded](/magic-transit/how-to/advertise-prefixes/) to and approved by Cloudflare instruct the system on which traffic to route through the system. + +[Add the prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/) or a subset of these prefixes. + +You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals. + +### Rules + +[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/) for Advanced TCP and Advanced DNS Protection (as needed) to enable mitigation. + +You can create a rule for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets. + +Optionally, you can create [filters](/ddos-protection/advanced-ddos-systems/concepts/#filter) for each protection system component (SYN flood protection and out-of-state TCP protection). + +### Prefixes + +Optionally, you can [add prefixes to the allowlist](/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/) if your traffic should bypass Advanced DDoS Protection rules. + +The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. You can also [exclude a subset of an onboarded prefix](/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/) from Advanced TCP Protection. + +Refer to [Concepts](/ddos-protection/advanced-ddos-systems/concepts/) for more information. + +### Enablement + +Enable the Advanced DDoS system and begin routing traffic through it. + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. +3. Under **General settings**, toggle the feature status **On**. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/dns-protection/index.mdx b/src/content/docs/ddos-protection/dns-protection/index.mdx deleted file mode 100644 index d767a3656bb482..00000000000000 --- a/src/content/docs/ddos-protection/dns-protection/index.mdx +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Advanced DNS Protection -pcx_content_type: concept -sidebar: - order: 7 -head: - - tag: title - content: Cloudflare Advanced DNS Protection - ---- - -Cloudflare Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/). - -## How it works - -Cloudflare's Advanced DNS Protection works by first learning your traffic patterns and forming a baseline of the type of DNS queries you normally receive. Later, the system will be able to distinguish between legitimate and malicious queries, protecting your DNS infrastructure without impacting legitimate traffic. - -Currently, the protection system only analyzes DNS over UDP (it does not include DNS over TCP). - -The [Network Analytics dashboard](/analytics/network-analytics/) will display system-specific analytics for Advanced DNS Protection in the **DNS protection** tab, including the queried domains and record types. - -## Availability - -Advanced DNS Protection is currently available to [Magic Transit](/magic-transit/) customers. - -Protection for simpler DNS-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). - -## Setup - -1. Contact your account team to enable Advanced DNS Protection and make the initial configuration. The initial thresholds are based on your network’s individual behavior. -2. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. -3. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. -4. Add the prefixes you wish to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action. -:::note - -Currently, the list of onboarded prefixes is shared with Advanced TCP Protection. Any onboarded prefixes will be subject to both Advanced TCP Protection and Advanced DNS Protection, assuming that your account team has done the initial configuration of both systems. However, you can leave Advanced TCP Protection in monitoring mode. -::: -5. Go to **Advanced DNS Protection**. -6. Select **Create Advanced DNS Protection rule**. -7. In **Mode**, select a mode for the rule. -8. Under **Set scope**, select a [scope](/ddos-protection/tcp-protection/rule-settings/#scope) to determine the range of packets that will be affected by the rule. -9. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity), [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity), and [profile sensitivity](/ddos-protection/tcp-protection/rule-settings/#profile-sensitivity) to determine when to initiate mitigation. -10. Select **Deploy**. - ---- - -## Troubleshooting - -### No data about Advanced DNS Protection in Network Analytics - -If you cannot find any data related to Advanced DNS Protection in the **DNS Protection** tab of Network Analytics, it could be because one of these reasons: - -- You did not [add your prefixes](/ddos-protection/tcp-protection/how-to/add-prefix/) to Advanced L3/4 DDoS Protection. -- Cloudflare did not enable the Advanced DNS Protection system yet. -- You do not have any DNS over UDP traffic. - ---- - -## Data collection - -Cloudflare collects DNS-related data such as query type (for example, `A` record) and the queried domains. For details, refer to [Data collection](/analytics/network-analytics/reference/data-collection/). - -:::caution - -Currently, to disable this data collection you must remove your prefixes either in the Cloudflare dashboard or through the [Delete a prefix](/ddos-protection/tcp-protection/api/#prefix-operations) API operation. However, this procedure will remove the prefixes from both Advanced DNS Protection and [Advanced TCP Protection](/ddos-protection/tcp-protection/). -::: - ---- - -## Related products - -Advanced DNS Protection can protect you against volumetric DNS DDoS attacks. To perform DNS caching, proxying, and configuration, use the [Cloudflare DNS Firewall](/dns/dns-firewall/). - -Currently, Advanced DNS Protection is not available for DNS Firewall. diff --git a/src/content/docs/ddos-protection/index.mdx b/src/content/docs/ddos-protection/index.mdx index bda28b4cb7fc3b..d1ddf3ef302e06 100644 --- a/src/content/docs/ddos-protection/index.mdx +++ b/src/content/docs/ddos-protection/index.mdx @@ -34,12 +34,12 @@ Protect against a variety of DDoS attacks across layers 3/4 (network layer) and Get increased protection against sophisticated DDoS attacks on layer 7 and layers 3/4. - -Detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods, or SYN and SYN-ACK floods. + +Detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods, or SYN and SYN-ACK floods. - -Protect against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks. + +Protect against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks. --- diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx index 141853a417cfbb..28a671ae978017 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx @@ -49,7 +49,7 @@ However, only Magic Transit and Spectrum customers on an Enterprise plan can cus Magic Transit customers can configure the following additional products: -- Enable [Advanced TCP Protection](/ddos-protection/tcp-protection/) to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. +- Enable [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. - Create custom [Magic Firewall](/magic-firewall/) rules to block additional network-layer attacks. Spectrum customers can use [IP Access](/waf/tools/ip-access-rules/) rules to block additional network-layer attacks. diff --git a/src/content/docs/ddos-protection/reference/alerts.mdx b/src/content/docs/ddos-protection/reference/alerts.mdx index a6f9996c88e24b..788c5c8bfe78bb 100644 --- a/src/content/docs/ddos-protection/reference/alerts.mdx +++ b/src/content/docs/ddos-protection/reference/alerts.mdx @@ -90,6 +90,6 @@ To investigate a possibly ongoing attack, select **View Dashboard**. To go to th - Spectrum and Magic Transit customers using [assigned Cloudflare IP addresses](/magic-transit/cloudflare-ips/) will receive layer 3/4 DDoS attack alerts where the attacked target is the Cloudflare IP or prefix. If you have [brought your own IP (BYOIP)](/byoip/) to Cloudflare Spectrum or Magic Transit, you will see your own IP addresses or prefixes as the attacked target. - In some cases, HTTP DDoS attack alerts will reference the attacked zone name instead of the attacked hostname. This occurs when the attack signature does not include information on the attacked hostname because it is not a strong indicator for identifying attack requests. For more information on attack signatures, refer to [How DDoS protection works](/ddos-protection/about/how-ddos-protection-works/). -- DDoS alerts are currently only available for DDoS attacks detected and mitigated by the [DDoS managed rulesets](/ddos-protection/managed-rulesets/). Alerts are not yet available for DDoS attacks detected and mitigated by the [Advanced TCP Protection](/ddos-protection/tcp-protection/) and the [Advanced DNS Protection](/ddos-protection/dns-protection/) system. +- DDoS alerts are currently only available for DDoS attacks detected and mitigated by the [DDoS managed rulesets](/ddos-protection/managed-rulesets/). Alerts are not yet available for DDoS attacks detected and mitigated by the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and the [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) system. - You will not receive duplicate DDoS alerts within the same one-hour time frame. - If you configure more than one alert type for the same kind of attack (for example, both an HTTP DDoS Attack Alert and an Advanced HTTP DDoS Attack Alert) you may get more than one notification when an attack occurs. To avoid receiving duplicate notifications, delete one of the configured alerts. diff --git a/src/content/docs/ddos-protection/tcp-protection/api/index.mdx b/src/content/docs/ddos-protection/tcp-protection/api/index.mdx deleted file mode 100644 index 360e819d2afff8..00000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/api/index.mdx +++ /dev/null @@ -1,140 +0,0 @@ ---- -type: overview -pcx_content_type: reference -title: API configuration -sidebar: - order: 5 -head: - - tag: title - content: Configuring Advanced TCP Protection via API - ---- - -You can configure Advanced TCP Protection using the Advanced TCP Protection API. - -The Advanced TCP Protection API only supports [API token authentication](/fundamentals/api/get-started/create-token/). - -For examples of API calls, refer to [Common API calls](/ddos-protection/tcp-protection/api/examples/). - -## Endpoints - -To obtain the complete endpoint, append the Advanced TCP Protection API endpoints listed below to the Cloudflare API base URL. - -The Cloudflare API base URL is: - -```txt -https://api.cloudflare.com/client/v4 -``` - -The `{account_id}` argument is the account ID (a hexadecimal string). You can find this value in the Cloudflare dashboard. - -The tables in the following sections summarize the available operations. - -### General operations - - - -| Operation | Method and endpoint / Description | -| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Get Advanced TCP
Protection status |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Gets the global Advanced TCP Protection status (enabled or disabled). | -| Update Advanced
TCP Protection status |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Enables or disables Advanced TCP Protection. | - - - -### Prefix operations - - - -| Operation | Method and endpoint / Description | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| List prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Fetches all Advanced TCP Protection prefixes in the account. | -| Add prefixes in bulk |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/bulk`

Adds prefixes in bulk to the account (up to 300 prefixes per request). | -| Get a prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Fetches the details of an existing prefix. | -| Update a prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Updates an existing prefix. | -| Delete a prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Deletes an existing prefix. | -| Delete all prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Deletes all existing prefixes from the account. | - - - -### Allowlist operations - - - -| Operation | Method and endpoint / Description | -| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List allowlisted prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Fetches all prefixes in the account allowlist. | -| Add an allowlisted prefix |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Adds a prefix to the allowlist. | -| Get an allowlisted prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Fetches the details of an existing prefix in the allowlist. | -| Update an allowlisted prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Updates an existing prefix in the allowlist. | -| Delete an allowlisted prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Deletes an existing prefix from the allowlist. | -| Delete all allowlisted prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Deletes all existing prefixes from the allowlist. | - - - -### SYN Flood Protection operations - -#### Rules - - - -| Operation | Method and endpoint / Description | -| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List SYN flood rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Fetches all SYN flood rules in the account. | -| Add a SYN flood rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Adds a SYN flood rule to the account. | -| Get a SYN flood rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Fetches the details of an existing SYN flood rule in the account. | -| Update a SYN flood rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Updates an existing SYN flood rule in the account. | -| Delete a SYN flood rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Deletes an existing SYN flood rule from the account. | -| Delete all SYN flood rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Deletes all existing SYN flood rules from the account. | - - - -#### Filters - - - -| Operation | Method and endpoint / Description | -| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List SYN flood filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Fetches all SYN flood filters in the account. | -| Add a SYN flood filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Adds a SYN flood filter to the account. | -| Get a SYN flood filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Fetches the details of an existing SYN flood filter in the account. | -| Update a SYN flood filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Updates an existing SYN flood filter in the account. | -| Delete a SYN flood filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Deletes an existing SYN flood filter from the account. | -| Delete all SYN flood filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Deletes all existing SYN flood filters from the account. | - - - -### Out-of-state TCP Protection operations - -#### Rules - - - -| Operation | Method and endpoint / Description | -| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List out-of-state TCP rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Fetches all out-of-state TCP rules in the account. | -| Add an out-of-state TCP rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Adds an out-of-state TCP rule to the account. | -| Get an out-of-state TCP rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Fetches the details of an existing out-of-state TCP rule in the account. | -| Update an out-of-state TCP rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Updates an existing out-of-state TCP rule in the account. | -| Delete an out-of-state TCP rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Deletes an existing out-of-state TCP rule from the account. | -| Delete all out-of-state TCP rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Deletes all existing out-of-state TCP rules from the account. | - - - -#### Filters - - - -| Operation | Method and endpoint / Description | -| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List out-of-state TCP filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Fetches all out-of-state TCP filters in the account. | -| Add an out-of-state TCP filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Adds an out-of-state TCP filter to the account. | -| Get an out-of-state TCP filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Fetches the details of an existing out-of-state TCP filter in the account. | -| Update an out-of-state TCP filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Updates an existing out-of-state TCP filter in the account. | -| Delete an out-of-state TCP filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Deletes an existing out-of-state TCP filter from the account. | -| Delete all out-of-state TCP filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Deletes all existing out-of-state TCP filters from the account. | - - - -## Pagination - -The API operations that return a list of items use pagination. For more information on the available pagination query parameters, refer to [Pagination](/fundamentals/api/how-to/make-api-calls/#pagination). diff --git a/src/content/docs/ddos-protection/tcp-protection/concepts.mdx b/src/content/docs/ddos-protection/tcp-protection/concepts.mdx deleted file mode 100644 index 8cba234969d1f4..00000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/concepts.mdx +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Concepts -pcx_content_type: concept -sidebar: - order: 4 -head: - - tag: title - content: Create an Advanced TCP Protection filter - ---- - -import { GlossaryTooltip, Render } from "~/components" - -## Prefixes - -Advanced TCP Protection protects the IP prefixes you select from sophisticated TCP attacks. A prefix can be an IP address or an IP range in CIDR format. You must add prefixes to Advanced TCP Protection so that Cloudflare can analyze incoming packets and offer protection against sophisticated TCP DDoS attacks. - -Prefixes added to Advanced TCP Protection must be one of the following: - -- A prefix [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/). -- A subset of a prefix [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/). - -You cannot add a prefix (or a subset of a prefix) that you have not onboarded to Magic Transit or whose status is still -Unapproved-. Contact your account team to get help with prefix approvals. - -## Allowlist - -The Advanced TCP Protection allowlist is a list of prefixes that will bypass all configured Advanced TCP Protection rules. - -For example, you could add prefixes used only by partners of your company to the allowlist so that they are exempt from packet inspection and mitigation actions performed by Advanced TCP Protection. - - - -## Rule - -A rule configures Advanced TCP Protection for a given [scope](/ddos-protection/tcp-protection/rule-settings/#scope), according to several [settings](/ddos-protection/tcp-protection/rule-settings/): execution mode, burst sensitivity, and rate sensitivity. - -Each system component (SYN flood protection and out-of-state TCP protection) has its own list of rules, and it should have at least one rule. - -## Filter - - The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional. - -Each Advanced TCP Protection system component has its own filters. You can configure a filter for each execution mode: - -- **Mitigation Filter**: The system will drop packets matching the filter expression. -- **Monitoring Filter**: The system will log packets matching the filter expression. -- **Off Filter**: The system will ignore packets matching the filter expression. - -When there is a match, a filter will alter the execution mode for all configured rules in a given system component (SYN flood protection or out-of-state TCP protection), including disabled rules. - -For instructions on creating filters in the Cloudflare dashboard, refer to [Create a filter](/ddos-protection/tcp-protection/how-to/create-filter/). For API examples, refer to [Common API calls](/ddos-protection/tcp-protection/api/examples/). - -### Example use case - -You can create a monitor filter for a new prefix that you are onboarding by using the expression to match against the prefix. - -Your already onboarded prefixes can remain protected with one or more configured rules in mitigation mode. - -When onboarding a new prefix, you would configure a monitoring filter for this prefix and then add it to Advanced TCP Protection. - ---- - -## Determining the execution mode - -When you have both rules and filters configured, the execution mode is determined according to the following: - -1. If there is a match for one of the configured filters, use the filter's execution mode. The filter evaluation order is based on their mode, in the following order: - 1. Mitigation filter (filter with `enabled` mode) - 2. Monitoring filter (filter with `monitoring` mode) - 3. Off filter (filter with `disabled` mode) - -2. If no filter matched, use the execution mode determined by existing rules. - -3. If no rules match, disable Advanced TCP Protection. diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/create-rule.mdx b/src/content/docs/ddos-protection/tcp-protection/how-to/create-rule.mdx deleted file mode 100644 index b82b41e0f10f03..00000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/create-rule.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Create a rule -pcx_content_type: how-to -sidebar: - order: 4 -head: - - tag: title - content: Create an Advanced TCP Protection rule - ---- - -import { Render } from "~/components" - -To create a [SYN flood rule](/ddos-protection/tcp-protection/#syn-flood-protection) or an [out-of-state TCP](/ddos-protection/tcp-protection/#out-of-state-tcp-protection) rule: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Go to **L3/4 DDoS** > **Advanced Protection** > **Advanced TCP Protection**. -3. Depending on the rule you are creating, do one of the following: - - Under **SYN Flood Protection**, select **Create SYN flood rule**. - - Under **Out-of-state TCP Protection**, select **Create out-of-state TCP rule**. -4. In **Mode**, select a [mode](/ddos-protection/tcp-protection/rule-settings/#mode) for the rule. -5. Under **Set scope**, select a [scope](/ddos-protection/tcp-protection/rule-settings/#scope) for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center. -6. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) and [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity) of the rule (by default, _Medium_). The sensitivity levels are based on the initially configured thresholds for your specific case. -7. Select **Deploy**. - - diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/exclude-prefix.mdx b/src/content/docs/ddos-protection/tcp-protection/how-to/exclude-prefix.mdx deleted file mode 100644 index cb51d0dd86c5cc..00000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/exclude-prefix.mdx +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Exclude a prefix -pcx_content_type: how-to -sidebar: - order: 6 - ---- - -To exclude a prefix or a prefix subset from Advanced TCP Protection: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Go to Account Home > **L3/4 DDoS** > **Advanced TCP Protection**. -3. [Add the prefix](/ddos-protection/tcp-protection/how-to/add-prefix/) you previously onboarded to Magic Transit to Advanced TCP Protection. -4. [Add the prefix](/ddos-protection/tcp-protection/how-to/add-prefix/) (or subset) you wish to exclude as a new, separate prefix in Advanced TCP Protection. -5. For the prefix you added in the previous step, select **Exclude Subset** in the **Enrolled Prefixes** list. - -:::note - -Prefixes or subsets added as _Excluded_ will not be protected by Advanced TCP Protection. -::: \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/mitigation-reasons.mdx b/src/content/docs/ddos-protection/tcp-protection/mitigation-reasons.mdx deleted file mode 100644 index d14bb9b401ed22..00000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/mitigation-reasons.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Mitigation reasons -pcx_content_type: reference -sidebar: - order: 10 -head: - - tag: title - content: Advanced TCP Protection mitigation reasons - ---- - -The Advanced TCP Protection system applies mitigation actions for different reasons based on the connection states. The **Mitigation reason** field shown in the **Advanced TCP Protection** tab of the [Network Analytics](/analytics/network-analytics/) dashboard will contain more information on why a given packet was dropped by the system. - -The connection states are the following: - -- **New**: A SYN or SYN-ACK packet has been sent to attempt to open a new connection. -- **Open**: The three-way TCP handshake has been completed and the TCP connection is open. -- **Closing**: A FIN or FIN-ACK packet has been seen attempting to close a connection. -- **Closed**: The closing three-way handshake has been completed, or an RST packet has closed the connection. - -The mitigation reasons are the following: - -- **UNEXPECTED**: Packet dropped because it was not expected given the current state of the TCP connection it was associated with. -- **CHALLENGE_NEEDED**: Packet challenged because the system determined that the packet is most likely part of a packet flood. -- **CHALLENGE_PASSED**: Packet dropped because it belongs to a solved challenge. -- **NOT_FOUND**: Packet dropped because it is not part of an existing TCP connection and it is not establishing a new connection. -- **OUT_OF_SEQUENCE**: Packet dropped because its properties (for example, TCP flags or sequence numbers) do not match the expected values for the existing connection. -- **ALREADY_CLOSED**: Packet dropped because it belongs to a connection that is already closed. - -Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing. diff --git a/src/content/docs/ddos-protection/tcp-protection/rule-settings.mdx b/src/content/docs/ddos-protection/tcp-protection/rule-settings.mdx deleted file mode 100644 index acdd628194ef16..00000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/rule-settings.mdx +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Rule settings -pcx_content_type: reference -sidebar: - order: 9 - ---- - -Each rule type has the following settings: scope, mode, burst sensitivity, and rate sensitivity. - -You may need to adjust the burst or rate sensitivity of a rule in case of false positives or due to specific traffic patterns. - -## Scope - -Advanced TCP Protection rules can have one of the following scopes: - -- **Global**: The rule will apply to all incoming packets. -- **Region**: The rule will apply to incoming packets in a selected region. -- **Data center**: The rule will apply to incoming packets in the selected Cloudflare data center. - -The rule scope allows you to adjust the system's tolerance for out-of-state packets in locations where you may have more or less traffic than usual, or due to any other networking reasons. - -Besides defining rules with one of the above scopes, you must also select the [prefixes](/ddos-protection/tcp-protection/concepts/#prefixes) that you wish to protect with Advanced TCP Protection. - -## Mode - -The Advanced TCP Protection system constantly learns your TCP connections to mitigate DDoS attacks. Advanced TCP Protection rules can have one of the following execution modes: monitoring, mitigation (enabled), or disabled. - -- **Monitoring** - - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. - -- **​​Mitigation (Enabled)** - - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/tcp-protection/concepts/#allowlist). - -- **Disabled** - - In this mode, a rule will not evaluate any incoming packets. - -## Burst sensitivity - -The burst sensitivity is the rule's sensitivity to short-term bursts in the packet rate: - -- A low sensitivity means that bigger spikes in the packet rate may trigger a mitigation action. -- A high sensitivity means that smaller spikes in the packet rate may trigger a mitigation action. - -The default burst sensitivity is _Medium_. - -## Rate sensitivity - -The rate sensitivity is the rule's sensitivity to the sustained packet rate: - -- A low sensitivity means that higher sustained packet rates can trigger a mitigation action. -- A high sensitivity means that lower sustained packet rates may trigger a mitigation action. A high sensitivity offers increased protection, but you may get more false positives (that is, mitigated packets that belong to legitimate traffic). - -The default rate sensitivity is _Medium_. - -## Profile sensitivity - -The sensitivity to DNS queries that have not been recently seen. - -- A higher sensitivity level means that the mitigation system will begin mitigating faster. -- A lower sensitivity provides more tolerance for potentially suspicious DNS queries. - -The default rate sensitivity is _Medium_. diff --git a/src/content/docs/ddos-protection/tcp-protection/setup.mdx b/src/content/docs/ddos-protection/tcp-protection/setup.mdx deleted file mode 100644 index 55314c80741876..00000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/setup.mdx +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Setup -pcx_content_type: how-to -sidebar: - order: 3 - ---- - -import { GlossaryTooltip, Render } from "~/components" - -Follow the steps described in the following sections to get started with Advanced TCP Protection. - -## 1. Request initial configuration - -When you get access to Advanced TCP Protection, there are no configured thresholds in your account. - -Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) will be for your specific case. - -Ask your Implementation Manager to configure initial threshold values. - -Once thresholds are configured, the Implementation Manager will let you know that Advanced TCP Protection has been initialized and can be configured and enabled. - -## 2. Add prefixes - -[Add the prefixes](/ddos-protection/tcp-protection/how-to/add-prefix/) you would like to use with Advanced TCP Protection. You will be able to register prefixes that you previously [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/) or a subset of these prefixes. - -You cannot add unapproved prefixes to Advanced TCP Protection. Contact your account team to get help with prefix approvals. - -## 3. (Optional) Add IP addresses or prefixes to the allowlist - -[Add prefixes to the allowlist](/ddos-protection/tcp-protection/how-to/add-prefix-allowlist/) if their traffic should bypass Advanced TCP Protection rules. - -The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. To exclude a subset of an onboarded prefix from Advanced TCP Protection, refer to [Exclude a prefix or a prefix subset](/ddos-protection/tcp-protection/how-to/exclude-prefix/). - -## 4. Create a global configuration - -[Create a rule](/ddos-protection/tcp-protection/how-to/create-rule/) for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets. - -Optionally, you can create [filters](/ddos-protection/tcp-protection/concepts/#filter) for each protection system component (SYN flood protection and out-of-state TCP protection). - -## 5. Enable Advanced TCP Protection - -1. In the Cloudflare dashboard, go to Account Home > **L3/4 DDoS** > **Advanced TCP Protection**. -2. Under **General settings**, toggle the feature status to **Enabled**. \ No newline at end of file diff --git a/src/content/docs/magic-transit/ddos.mdx b/src/content/docs/magic-transit/ddos.mdx index 17987783a244ab..eb2d05fb356494 100644 --- a/src/content/docs/magic-transit/ddos.mdx +++ b/src/content/docs/magic-transit/ddos.mdx @@ -11,8 +11,8 @@ head: Cloudflare DDoS protection automatically detects and mitigates Distributed Denial of Service (DDoS) attacks using its Autonomous Edge. Magic Transit customers have access to additional features, such as: -- [Advanced TCP protection](/ddos-protection/tcp-protection/) (disabled by default) -- [Advanced DNS protection (beta)](/ddos-protection/dns-protection/) +- [Advanced TCP protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) (disabled by default) +- [Advanced DNS protection (beta)](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) Refer to [Cloudflare DDoS documentation](/ddos-protection/) for more information. @@ -23,6 +23,6 @@ Refer to [Cloudflare DDoS documentation](/ddos-protection/) for more information The execution order of the different mitigation systems for Magic Transit customers is the following: 1. [DDoS managed rulesets](/ddos-protection/managed-rulesets/) -2. [Advanced TCP Protection](/ddos-protection/tcp-protection/) -3. [Advanced DNS Protection](/ddos-protection/dns-protection/) +2. [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) +3. [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) 4. [Magic Firewall](/magic-firewall/) diff --git a/src/content/partials/ddos-protection/atp-filter-definition.mdx b/src/content/partials/ddos-protection/atp-filter-definition.mdx index 94d007561a9c14..12d6e288ceadf9 100644 --- a/src/content/partials/ddos-protection/atp-filter-definition.mdx +++ b/src/content/partials/ddos-protection/atp-filter-definition.mdx @@ -3,4 +3,4 @@ --- -A filter modifies Advanced TCP Protection's [execution mode](/ddos-protection/tcp-protection/rule-settings/#mode) — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. +A filter modifies Advanced TCP Protection's [execution mode](/ddos-protection/advanced-ddos-systems/concepts/#mode) — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. \ No newline at end of file diff --git a/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx b/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx index 012d96a4f78908..856694a96d0c99 100644 --- a/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx +++ b/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx @@ -5,5 +5,5 @@ :::note[Note] -Filters take precedence over rules. For details on how the execution mode is determined, refer to [Determining the execution mode](/ddos-protection/tcp-protection/concepts/#determining-the-execution-mode). +Filters take precedence over rules. For details on how the execution mode is determined, refer to [Determining the execution mode](/ddos-protection/advanced-ddos-systems/concepts/#determining-the-execution-mode). ::: diff --git a/src/content/partials/ddos-protection/ddos-attack-coverage.mdx b/src/content/partials/ddos-protection/ddos-attack-coverage.mdx index 61bb3b0ae516e1..3ebded33d02100 100644 --- a/src/content/partials/ddos-protection/ddos-attack-coverage.mdx +++ b/src/content/partials/ddos-protection/ddos-attack-coverage.mdx @@ -8,8 +8,8 @@ import { GlossaryTooltip } from "~/components" | OSI Layer | Ruleset / Feature | Example of covered DDoS attack vectors | | --------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | L3/4 | [Network-layer DDoS Attack Protection](/ddos-protection/managed-rulesets/network/) | UDP flood attack
SYN floods
SYN-ACK reflection attack
ACK floods
Mirai and Mirai-variant L3/4 attacks
ICMP flood attack
SNMP flood attack
QUIC flood attack
Out of state TCP attacks
Protocol violation attacks
SIP attacks
ESP flood
DNS amplification attack
DNS Garbage Flood
DNS NXDOMAIN flood
DNS Query flood

For more DNS protection options, refer to [Getting additional DNS protection](/ddos-protection/about/attack-coverage/#getting-additional-dns-protection). | -| L3/4 | [Advanced TCP Protection](/ddos-protection/tcp-protection/) [^1] | Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks | -| L7 | [Advanced DNS Protection](/ddos-protection/dns-protection/) [^1] | Sophisticated and fully randomized DNS attacks, including random-prefix attacks and DNS laundering attacks | +| L3/4 | [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) [^1] | Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks | +| L7 | [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) [^1] | Sophisticated and fully randomized DNS attacks, including random-prefix attacks and DNS laundering attacks | | L7 (HTTP/HTTPS) | [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/) | HTTP flood attack
WordPress pingback attack
HULK attack
LOIC attack
Slowloris attack
Mirai and Mirai-variant HTTP attacks | [^1]: Available to Magic Transit customers. diff --git a/src/content/plans/index.json b/src/content/plans/index.json index 21aec3cb8dccab..2866bd0448a01c 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -1461,7 +1461,7 @@ }, "tcp_protection": { "title": "Advanced TCP Protection", - "link": "/ddos-protection/tcp-protection/", + "link": "/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/", "free": "Available to [Magic Transit](/magic-transit/) customers", "pro": "Available to [Magic Transit](/magic-transit/) customers", "biz": "Available to [Magic Transit](/magic-transit/) customers", @@ -1470,7 +1470,7 @@ }, "u_dns_protection": { "title": "Advanced DNS Protection", - "link": "/ddos-protection/dns-protection/", + "link": "/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/", "free": "Available to [Magic Transit](/magic-transit/) customers", "pro": "Available to [Magic Transit](/magic-transit/) customers", "biz": "Available to [Magic Transit](/magic-transit/) customers",