From de2f804056a4613fd180c1f9af18ec9bd265443e Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Mon, 30 Sep 2024 13:38:07 -0700 Subject: [PATCH 1/9] adv ddos systems reorg --- .../ddos-protection/about/attack-coverage.mdx | 4 +- .../docs/ddos-protection/about/components.mdx | 2 +- .../api/dns-protection/examples.mdx | 117 +++++++++++++++ .../api/dns-protection/index.mdx | 36 +++++ .../api/dns-protection/json-objects.mdx | 38 +++++ .../advanced-ddos-systems/api/index.mdx | 18 +++ .../api/tcp-protection}/examples.mdx | 18 +-- .../api/tcp-protection/index.mdx | 112 ++++++++++++++ .../api/tcp-protection}/json-objects.mdx | 2 +- .../concepts.mdx | 4 +- .../how-to/add-prefix-allowlist.mdx | 6 +- .../how-to/add-prefix.mdx | 8 +- .../how-to/create-filter.mdx | 4 +- .../how-to/create-rule.mdx | 47 ++++++ .../how-to/exclude-prefix.mdx | 8 +- .../how-to/index.mdx | 2 + .../advanced-ddos-systems/index.mdx | 10 ++ .../overview/advanced-dns-protection.mdx} | 33 ++--- .../advanced-tcp-protection}/index.mdx | 40 ++--- .../mitigation-reasons.mdx | 2 +- .../advanced-ddos-systems/overview/index.mdx | 35 +++++ .../rule-settings.mdx | 9 +- .../advanced-ddos-systems/setup.mdx | 46 ++++++ src/content/docs/ddos-protection/index.mdx | 8 +- .../tcp-protection/api/index.mdx | 140 ------------------ .../tcp-protection/how-to/create-rule.mdx | 26 ---- .../ddos-protection/tcp-protection/setup.mdx | 44 ------ 27 files changed, 534 insertions(+), 285 deletions(-) create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/examples.mdx create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx rename src/content/docs/ddos-protection/{tcp-protection/api => advanced-ddos-systems/api/tcp-protection}/examples.mdx (96%) create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx rename src/content/docs/ddos-protection/{tcp-protection/api => advanced-ddos-systems/api/tcp-protection}/json-objects.mdx (96%) rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems}/concepts.mdx (99%) rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems}/how-to/add-prefix-allowlist.mdx (73%) rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems}/how-to/add-prefix.mdx (67%) rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems}/how-to/create-filter.mdx (95%) create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems}/how-to/exclude-prefix.mdx (53%) rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems}/how-to/index.mdx (89%) create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/index.mdx rename src/content/docs/ddos-protection/{dns-protection/index.mdx => advanced-ddos-systems/overview/advanced-dns-protection.mdx} (56%) rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems/overview/advanced-tcp-protection}/index.mdx (57%) rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems/overview/advanced-tcp-protection}/mitigation-reasons.mdx (99%) create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx rename src/content/docs/ddos-protection/{tcp-protection => advanced-ddos-systems}/rule-settings.mdx (90%) create mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx delete mode 100644 src/content/docs/ddos-protection/tcp-protection/api/index.mdx delete mode 100644 src/content/docs/ddos-protection/tcp-protection/how-to/create-rule.mdx delete mode 100644 src/content/docs/ddos-protection/tcp-protection/setup.mdx diff --git a/src/content/docs/ddos-protection/about/attack-coverage.mdx b/src/content/docs/ddos-protection/about/attack-coverage.mdx index 450f311ea1aa695..eedb96b15856fb3 100644 --- a/src/content/docs/ddos-protection/about/attack-coverage.mdx +++ b/src/content/docs/ddos-protection/about/attack-coverage.mdx @@ -14,7 +14,7 @@ import { GlossaryTooltip, InlineBadge, Render } from "~/components" The [DDoS Attack Protection managed rulesets](/ddos-protection/managed-rulesets/) provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these managed rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations. -[Advanced TCP Protection](/ddos-protection/tcp-protection/) and [Advanced DNS Protection](/ddos-protection/dns-protection/), available to [Magic Transit](/magic-transit/) customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively. +[Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/), available to [Magic Transit](/magic-transit/) customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively. As a general guideline, various Cloudflare products operate on different open systems interconnection (OSI) layers and you are protected up to the layer on which your service operates. You can customize the DDoS settings on the layer in which you onboarded. For example, since the CDN/WAF service is a Layer 7 (HTTP/HTTPS) service, Cloudflare provides protection from DDoS attacks on L7 downwards, including L3/4 attacks. @@ -31,7 +31,7 @@ The following table includes a sample of covered attack vectors: The Network-layer DDoS Attack Protection managed ruleset provides protection against some types of DNS attacks. -Magic Transit customers have access to [Advanced DNS Protection](/ddos-protection/dns-protection/) . Other customers might consider the following options: +Magic Transit customers have access to [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) . Other customers might consider the following options: - Use Cloudflare as your authoritative DNS provider ([primary DNS](/dns/zone-setups/full-setup/) or [secondary DNS](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/)). - If you are running your own nameservers, use [DNS Firewall](/dns/dns-firewall/) to get additional protection against DNS attacks like random prefix attacks. diff --git a/src/content/docs/ddos-protection/about/components.mdx b/src/content/docs/ddos-protection/about/components.mdx index 01cd2d86171a93a..f22e1e997f447de 100644 --- a/src/content/docs/ddos-protection/about/components.mdx +++ b/src/content/docs/ddos-protection/about/components.mdx @@ -14,7 +14,7 @@ import { GlossaryTooltip } from "~/components" The Cloudflare Autonomous Edge is powered by the denial-of-service daemon (`dosd`), which is a home-grown software-defined system. A `dosd` instance runs in every single server in every one of [Cloudflare global network's data centers](https://www.cloudflare.com/network/) around the world. These `dosd` instances can detect and mitigate DDoS attacks autonomously without requiring centralized consensus. Cloudflare users can configure this system through [DDoS Attack Protection managed rulesets](/ddos-protection/managed-rulesets/). -Another component of Cloudflare’s Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection. +Another component of Cloudflare’s Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection. For more information, refer to our blog post [A deep-dive into Cloudflare’s autonomous edge DDoS protection](https://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/). diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/examples.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/examples.mdx new file mode 100644 index 000000000000000..7d232c46ae3e51b --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/examples.mdx @@ -0,0 +1,117 @@ +--- +title: Common API calls +pcx_content_type: configuration +sidebar: + order: 2 + +--- + +The following sections contain example requests for common API calls. For a list of available API endpoints, refer to [Endpoints](/ddos-protection/advanced-ddos-systems/api/dns-protection/#endpoints). + +## Get all DNS protection rules + +The following example retrieves the currently configured rules for Advanced DNS Protection. + +```bash +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules" \ +--header "Authorization: Bearer " +``` + +```json title="Example response" +--- +{ + "result": [ + { + "id": "", + "scope": "", + "name": "", + "mode": "", + "profile_sensitivity": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00", + } + ], + "success": true, + "errors": [], + "messages": [] +} +``` + +### Create DNS protection rule + +The following example creates an Advanced DNS Protection rule with a global scope. + +```bash +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules" \ +--header "Authorization: Bearer " \ +--data '{ + "scope": "global", + "name": "global", + "mode": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "profile_sensitivity": "" +}' +``` + +```json title="Example response" +{ + "result": { + "id": "", + "scope": "global", + "name": "global", + "mode": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "profile_sensitivity": "", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00", + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects/) for more information on the fields in the JSON body. + +### Update DNS protection rule + +The following example updates an existing DNS protection rule with ID `{rule_id}`. + +The request body can contain only the fields you want to update (from `mode`, `profile_sensitivity`, `rate_sensitivity`, and `burst_sensitivity`). + +```bash +curl --request PATCH \ +"https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}" \ +--header "Authorization: Bearer " \ +--data '{ + "mode": "", + "profile_sensitivity": "", + "rate_sensitivity": "", + "burst_sensitivity": "" +}' +``` + +```json title="Example response" +{ + "result": { + "id": "", + "scope": "", + "name": "", + "mode": "", + "profile_sensitivity": "", + "rate_sensitivity": "", + "burst_sensitivity": "", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00", + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects/) for more information on the fields in the JSON body. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx new file mode 100644 index 000000000000000..7e8361776d2721a --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx @@ -0,0 +1,36 @@ +--- +pcx_content_type: how-to +title: Advanced DNS Protection +sidebar: + order: 5 + label: Configure via the API +head: + - tag: title + content: Configure Advanced DNS Protection via API + +--- + +Use the [Cloudflare API](/api/) to configure Advanced DNS Protection via API. + +For examples of API calls, refer to [Common API calls](/ddos-protection/advanced-ddos-systems/api/dns-protection/examples/). + +## Endpoints + +To obtain the complete endpoint, append the Advanced DNS Protection API endpoints listed below to the Cloudflare API base URL: + +```txt +https://api.cloudflare.com/client/v4 +``` + +The `{account_id}` argument is the [account ID](/fundamentals/setup/find-account-and-zone-ids/) (a hexadecimal string). You can find this value in the Cloudflare dashboard. + +The following table summarizes the available operations. + +| Operation | Verb + Endpoint | +| --- | --- | +| List DNS protection rules |

`GET accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`

Fetches all DNS protection rules in the account. | +| Add a DNS protection rule |

`POST accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`

Adds a DNS protection rule to the account. | +| Get a DNS protection rule |

`GET accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`

Fetches the details of an existing DNS protection rule in the account. | +| Update a DNS protection rule |

`PATCH accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`

Updates an existing DNS protection rule in the account. | +| Delete a DNS protection rule |

`DELETE accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`

Deletes an existing DNS protection rule from the account. | +| Delete all DNS protection rules |

`DELETE accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`

Deletes all existing DNS protection rules from the account. | \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx new file mode 100644 index 000000000000000..2cc460e9b447dc9 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx @@ -0,0 +1,38 @@ +--- +title: JSON objects +pcx_content_type: reference +sidebar: + order: 3 +head: + - tag: title + content: Advanced TCP Protection API - JSON objects + +--- + +# JSON object + +This page contains an example of the DNS protection rule JSON object used in the API. + +```json +{ + "id": "31c70c65-9f81-4669-94ed-1e1e041e7b06", + "scope": "region", + "name": "WEUR", + "mode": "monitoring", + "profile_sensitivity": "medium", + "rate_sensitivity": "medium", + "burst_sensitivity": "medium", + "created_on": "2023-10-01T13:10:38.762503+01:00", + "modified_on": "2023-10-01T13:10:38.762503+01:00" +} +``` + +The `scope` field value must be one of `global`, `region`, or `datacenter`. You must provide a region code (or data center code) in the `name` field when specifying a `region` (or `datacenter`) scope. + +The `mode` value must be one of `enabled`, `disabled`, or `monitoring`. + +The `profile_sensitivity` field value must be one of `low` (default), `medium`, `high`, or `very_high`. + +The `rate_sensitivity` and `burst_sensitivity` field values must be one of `low`, `medium`, or `high`. + +For more information on the rule settings, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/). \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx new file mode 100644 index 000000000000000..805248d20a3519a --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx @@ -0,0 +1,18 @@ +--- +title: API configuration +pcx_content_type: overview +sidebar: + order: 5 + group: + hideIndex: true +head: + - tag: title + content: Configure Advanced TCP Protection and Advanced DNS Protection via the API + +--- + +import { DirectoryListing } from "~/components" + +Refer to the following pages to configure Advanced TCP Protection and Advanced DNS Protection via the API. + + diff --git a/src/content/docs/ddos-protection/tcp-protection/api/examples.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx similarity index 96% rename from src/content/docs/ddos-protection/tcp-protection/api/examples.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx index 07335381291ac1c..1ecd5daea218e45 100644 --- a/src/content/docs/ddos-protection/tcp-protection/api/examples.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx @@ -17,7 +17,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t --header "Authorization: Bearer " ``` -```json title="Response" +```json title="Example response" { "result": { "enabled": false @@ -51,7 +51,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t --header "Authorization: Bearer " ``` -```json title="Response" +```json title="Example response" { "result": [ { @@ -88,7 +88,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t ]' ``` -```json title="Response" +```json title="Example response" { "result": [ { @@ -123,7 +123,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t --header "Authorization: Bearer " ``` -```json title="Response" +```json title="Example response" { "result": [ { @@ -156,7 +156,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -189,7 +189,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -226,7 +226,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -260,7 +260,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", @@ -291,7 +291,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t }' ``` -```json title="Response" +```json title="Example response" { "result": { "id": "", diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx new file mode 100644 index 000000000000000..d499416c60c5f19 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx @@ -0,0 +1,112 @@ +--- +pcx_content_type: how-to +title: Advanced TCP Protection +sidebar: + order: 5 + label: Configure via the API +head: + - tag: title + content: Configure Advanced TCP Protection via API + +--- + +You can configure Advanced TCP Protection using the Advanced TCP Protection API. + +The Advanced TCP Protection API only supports [API token authentication](/fundamentals/api/get-started/create-token/). + +For examples of API calls, refer to [Common API calls](/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples/). + +## Endpoints + +To obtain the complete endpoint, append the Advanced TCP Protection API endpoints listed below to the Cloudflare API base URL. + +The Cloudflare API base URL is: + +```txt +https://api.cloudflare.com/client/v4 +``` + +The `{account_id}` argument is the account ID (a hexadecimal string). You can find this value in the Cloudflare dashboard. + +The tables in the following sections summarize the available operations. + +### General operations + +| Operation | Method and endpoint / Description | +| --- | --- | +| Get Advanced TCP Protection status |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Gets the global Advanced TCP Protection status (enabled or disabled). | +| Update Advanced TCP Protection status |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Enables or disables Advanced TCP Protection. | + +### Prefix operations + +| Operation | Method and endpoint / Description | +| --- | --- | +| List prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Fetches all Advanced TCP Protection prefixes in the account. | +| Add prefixes in bulk |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/bulk`

Adds prefixes in bulk to the account (up to 300 prefixes per request). | +| Get a prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Fetches the details of an existing prefix. | +| Update a prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Updates an existing prefix. | +| Delete a prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Deletes an existing prefix. | +| Delete all prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Deletes all existing prefixes from the account. | + +### Allowlist operations + +| Operation | Method and endpoint / Description | +| --- | --- | +| List allowlisted prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Fetches all prefixes in the account allowlist. | +| Add an allowlisted prefix |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Adds a prefix to the allowlist. | +| Get an allowlisted prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Fetches the details of an existing prefix in the allowlist. | +| Update an allowlisted prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Updates an existing prefix in the allowlist. | +| Delete an allowlisted prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Deletes an existing prefix from the allowlist. | +| Delete all allowlisted prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Deletes all existing prefixes from the allowlist. | + +### SYN Flood Protection operations + +#### Rules + +| Operation | Method and endpoint / Description | +| --- | --- | +| List SYN flood rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Fetches all SYN flood rules in the account. | +| Add a SYN flood rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Adds a SYN flood rule to the account. | +| Get a SYN flood rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Fetches the details of an existing SYN flood rule in the account. | +| Update a SYN flood rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Updates an existing SYN flood rule in the account. | +| Delete a SYN flood rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Deletes an existing SYN flood rule from the account. | +| Delete all SYN flood rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Deletes all existing SYN flood rules from the account. | + +#### Filters + +| Operation | Method and endpoint / Description | +| --- | --- | +| List SYN flood filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Fetches all SYN flood filters in the account. | +| Add a SYN flood filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Adds a SYN flood filter to the account. | +| Get a SYN flood filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Fetches the details of an existing SYN flood filter in the account. | +| Update a SYN flood filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Updates an existing SYN flood filter in the account. | +| Delete a SYN flood filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Deletes an existing SYN flood filter from the account. | +| Delete all SYN flood filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Deletes all existing SYN flood filters from the account. | + +### Out-of-state TCP Protection operations + +#### Rules + +| Operation | Method and endpoint / Description | +| --- | --- | +| List out-of-state TCP rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Fetches all out-of-state TCP rules in the account. | +| Add an out-of-state TCP rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Adds an out-of-state TCP rule to the account. | +| Get an out-of-state TCP rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Fetches the details of an existing out-of-state TCP rule in the account. | +| Update an out-of-state TCP rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Updates an existing out-of-state TCP rule in the account. | +| Delete an out-of-state TCP rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Deletes an existing out-of-state TCP rule from the account. | +| Delete all out-of-state TCP rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Deletes all existing out-of-state TCP rules from the account. | + +#### Filters + +| Operation | Method and endpoint / Description | +| --- | --- | +| List out-of-state TCP filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Fetches all out-of-state TCP filters in the account. | +| Add an out-of-state TCP filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Adds an out-of-state TCP filter to the account. | +| Get an out-of-state TCP filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Fetches the details of an existing out-of-state TCP filter in the account. | +| Update an out-of-state TCP filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Updates an existing out-of-state TCP filter in the account. | +| Delete an out-of-state TCP filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Deletes an existing out-of-state TCP filter from the account. | +| Delete all out-of-state TCP filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Deletes all existing out-of-state TCP filters from the account. | + +## Pagination + +The API operations that return a list of items use pagination. For more information on the available pagination query parameters, refer to [Pagination](/fundamentals/api/how-to/make-api-calls/#pagination). diff --git a/src/content/docs/ddos-protection/tcp-protection/api/json-objects.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx similarity index 96% rename from src/content/docs/ddos-protection/tcp-protection/api/json-objects.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx index d00337e17d08f79..784c7fcfaa7fe30 100644 --- a/src/content/docs/ddos-protection/tcp-protection/api/json-objects.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx @@ -9,7 +9,7 @@ head: --- -This page contains examples of the JSON objects used in the API. +This page contains an example of the TCP protection rule JSON object used in the API. ## Prefix diff --git a/src/content/docs/ddos-protection/tcp-protection/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx similarity index 99% rename from src/content/docs/ddos-protection/tcp-protection/concepts.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx index 8cba234969d1f4f..54d9c74085bbb32 100644 --- a/src/content/docs/ddos-protection/tcp-protection/concepts.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx @@ -2,7 +2,7 @@ title: Concepts pcx_content_type: concept sidebar: - order: 4 + order: 3 head: - tag: title content: Create an Advanced TCP Protection filter @@ -68,7 +68,5 @@ When you have both rules and filters configured, the execution mode is determine 1. Mitigation filter (filter with `enabled` mode) 2. Monitoring filter (filter with `monitoring` mode) 3. Off filter (filter with `disabled` mode) - 2. If no filter matched, use the execution mode determined by existing rules. - 3. If no rules match, disable Advanced TCP Protection. diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix-allowlist.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx similarity index 73% rename from src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix-allowlist.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx index cb0dce8ca40a778..84770a6e0422b0e 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix-allowlist.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx @@ -2,16 +2,16 @@ title: Add an IP or prefix to the allowlist pcx_content_type: how-to sidebar: - order: 4 + order: 2 head: - tag: title - content: Add an IP address/prefix to the Advanced TCP Protection allowlist + content: Add an IP address/prefix to the Advanced DDoS Protection allowlist --- import { Render } from "~/components" -To add an IP address or prefix to the Advanced TCP Protection [allowlist](/ddos-protection/tcp-protection/concepts/#allowlist): +To add an IP address or prefix to the Advanced DDoS Protection [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist): 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. Go to **L3/4 DDoS** > **Advanced Protection**. diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx similarity index 67% rename from src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx index eb36505a4b74238..4e5eaefd3ad3325 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/add-prefix.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx @@ -2,14 +2,14 @@ title: Add a prefix pcx_content_type: how-to sidebar: - order: 2 + order: 1 head: - tag: title - content: Add a prefix to Advanced TCP Protection + content: Add a prefix to Advanced DDoS Protection --- -To add a [prefix](/ddos-protection/tcp-protection/concepts/#prefixes) to Advanced TCP Protection: +To add a [prefix](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) to Advanced DDoS Protection: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. Go to **L3/4 DDoS** > **Advanced Protection**. @@ -19,5 +19,5 @@ To add a [prefix](/ddos-protection/tcp-protection/concepts/#prefixes) to Advance :::note[Note] -The **Add existing prefix** list will not display leased prefixes, but you can add them manually in the Cloudflare dashboard or [using the API](/ddos-protection/tcp-protection/api/). You cannot add [delegated prefixes](/byoip/concepts/prefix-delegations/) to Advanced TCP Protection. +The **Add existing prefix** list will not display leased prefixes, but you can add them manually in the Cloudflare dashboard or [using the API](/ddos-protection/advanced-ddos-systems/api/). You cannot add [delegated prefixes](/byoip/concepts/prefix-delegations/) to Advanced TCP Protection. ::: diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/create-filter.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx similarity index 95% rename from src/content/docs/ddos-protection/tcp-protection/how-to/create-filter.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx index 97e165775c62da3..d9f64aecc848673 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/create-filter.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx @@ -2,7 +2,7 @@ title: Create a filter pcx_content_type: how-to sidebar: - order: 5 + order: 4 head: - tag: title content: Create a filter for Advanced TCP Protection @@ -13,7 +13,7 @@ import { GlossaryTooltip, Render } from "~/components" -Each protection system component (SYN flood protection or out-of-state TCP protection) should have at least one [rule](/ddos-protection/tcp-protection/concepts/#rule), but filters are optional. +Each protection system component (SYN flood protection or out-of-state TCP protection) should have at least one [rule](/ddos-protection/advanced-ddos-systems/concepts/#rule), but filters are optional. ## Procedure diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx new file mode 100644 index 000000000000000..fb663683fc3182e --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx @@ -0,0 +1,47 @@ +--- +title: Create a rule +pcx_content_type: how-to +sidebar: + order: 3 +head: + - tag: title + content: Create an Advanced DDoS Protection rule + +--- + +import { Render } from "~/components" + +## Create an Advanced TCP Protection rule + +To create a [SYN flood rule](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#syn-flood-protection) or an [out-of-state TCP](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#out-of-state-tcp-protection) rule: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. Go to **L3/4 DDoS** > **Advanced Protection** > **Advanced TCP Protection**. +3. Depending on the rule you are creating, do one of the following: + + - Under **SYN Flood Protection**, select **Create SYN flood rule**. + - Under **Out-of-state TCP Protection**, select **Create out-of-state TCP rule**. + +4. In **Mode**, select a [mode](/ddos-protection/advanced-ddos-systems/rule-settings/#mode) for the rule. +5. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope) for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center. +6. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) and [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) of the rule (by default, _Medium_). The sensitivity levels are based on the initially configured thresholds for your specific case. +7. Select **Deploy**. + + + +## Create an Advanced DNS Protection rule + +1. Contact your account team to enable Advanced DNS Protection and make the initial configuration. The initial thresholds are based on your network’s individual behavior. +2. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. +3. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. +4. Add the prefixes you wish to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action. + :::note + + Currently, the list of onboarded prefixes is shared with Advanced TCP Protection. Any onboarded prefixes will be subject to both Advanced TCP Protection and Advanced DNS Protection, assuming that your account team has done the initial configuration of both systems. However, you can leave Advanced TCP Protection in monitoring mode. + ::: +5. Go to **Advanced DNS Protection**. +6. Select **Create Advanced DNS Protection rule**. +7. In **Mode**, select a mode for the rule. +8. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope) to determine the range of packets that will be affected by the rule. +9. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity), [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity), and [profile sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#profile-sensitivity) to determine when to initiate mitigation. +10. Select **Deploy**. diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/exclude-prefix.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx similarity index 53% rename from src/content/docs/ddos-protection/tcp-protection/how-to/exclude-prefix.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx index cb51d0dd86c5ccd..47cd9ce6c548356 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/exclude-prefix.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx @@ -2,16 +2,16 @@ title: Exclude a prefix pcx_content_type: how-to sidebar: - order: 6 + order: 5 --- -To exclude a prefix or a prefix subset from Advanced TCP Protection: +To exclude a prefix or a prefix subset from Advanced DDoS Protection: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. Go to Account Home > **L3/4 DDoS** > **Advanced TCP Protection**. -3. [Add the prefix](/ddos-protection/tcp-protection/how-to/add-prefix/) you previously onboarded to Magic Transit to Advanced TCP Protection. -4. [Add the prefix](/ddos-protection/tcp-protection/how-to/add-prefix/) (or subset) you wish to exclude as a new, separate prefix in Advanced TCP Protection. +3. [Add the prefix](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you previously onboarded to Magic Transit to Advanced TCP Protection. +4. [Add the prefix](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) (or subset) you wish to exclude as a new, separate prefix in Advanced TCP Protection. 5. For the prefix you added in the previous step, select **Exclude Subset** in the **Enrolled Prefixes** list. :::note diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx similarity index 89% rename from src/content/docs/ddos-protection/tcp-protection/how-to/index.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx index 1aae405d9758c38..4cb011a3624ec99 100644 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx @@ -3,6 +3,8 @@ title: How to pcx_content_type: navigation sidebar: order: 4 + group: + hideIndex: true head: - tag: title content: How-to guides diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/index.mdx new file mode 100644 index 000000000000000..168a861df4bc608 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/index.mdx @@ -0,0 +1,10 @@ +--- +title: Advanced DDoS systems +pcx_content_type: overview +sidebar: + group: + hideIndex: true + order: 6 + + +--- diff --git a/src/content/docs/ddos-protection/dns-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx similarity index 56% rename from src/content/docs/ddos-protection/dns-protection/index.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx index d767a3656bb482a..77530df22640b11 100644 --- a/src/content/docs/ddos-protection/dns-protection/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx @@ -2,14 +2,14 @@ title: Advanced DNS Protection pcx_content_type: concept sidebar: - order: 7 + order: 4 head: - tag: title content: Cloudflare Advanced DNS Protection --- -Cloudflare Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/). +Cloudflare's Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/). ## How it works @@ -19,28 +19,11 @@ Currently, the protection system only analyzes DNS over UDP (it does not include The [Network Analytics dashboard](/analytics/network-analytics/) will display system-specific analytics for Advanced DNS Protection in the **DNS protection** tab, including the queried domains and record types. -## Availability - -Advanced DNS Protection is currently available to [Magic Transit](/magic-transit/) customers. - -Protection for simpler DNS-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). +--- ## Setup -1. Contact your account team to enable Advanced DNS Protection and make the initial configuration. The initial thresholds are based on your network’s individual behavior. -2. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. -3. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. -4. Add the prefixes you wish to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action. -:::note - -Currently, the list of onboarded prefixes is shared with Advanced TCP Protection. Any onboarded prefixes will be subject to both Advanced TCP Protection and Advanced DNS Protection, assuming that your account team has done the initial configuration of both systems. However, you can leave Advanced TCP Protection in monitoring mode. -::: -5. Go to **Advanced DNS Protection**. -6. Select **Create Advanced DNS Protection rule**. -7. In **Mode**, select a mode for the rule. -8. Under **Set scope**, select a [scope](/ddos-protection/tcp-protection/rule-settings/#scope) to determine the range of packets that will be affected by the rule. -9. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity), [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity), and [profile sensitivity](/ddos-protection/tcp-protection/rule-settings/#profile-sensitivity) to determine when to initiate mitigation. -10. Select **Deploy**. +[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/#create-an-advanced-dns-protection-rule) to enable Advanced DNS Protection. --- @@ -67,6 +50,14 @@ Currently, to disable this data collection you must remove your prefixes either --- +## Availability + +Advanced DNS Protection is currently available to [Magic Transit](/magic-transit/) customers. + +Protection for simpler DNS-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). + +--- + ## Related products Advanced DNS Protection can protect you against volumetric DNS DDoS attacks. To perform DNS caching, proxying, and configuration, use the [Cloudflare DNS Firewall](/dns/dns-firewall/). diff --git a/src/content/docs/ddos-protection/tcp-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/index.mdx similarity index 57% rename from src/content/docs/ddos-protection/tcp-protection/index.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/index.mdx index a8351a13c3db1c4..ca2206ed5179fdc 100644 --- a/src/content/docs/ddos-protection/tcp-protection/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/index.mdx @@ -2,14 +2,14 @@ title: Advanced TCP Protection pcx_content_type: concept sidebar: - order: 6 + order: 2 head: - tag: title content: Cloudflare Advanced TCP Protection --- -Cloudflare Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. +Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. Advanced TCP Protection can simultaneously protect against different kinds of attacks: @@ -18,35 +18,39 @@ Advanced TCP Protection can simultaneously protect against different kinds of at Advanced TCP Protection can track TCP connections even when they move between Cloudflare data centers. -## Availability - -Advanced TCP Protection is available to all [Magic Transit](/magic-transit/) customers, and is disabled by default. Protection for simpler TCP-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). +The feature offers two types of protection: -## Get started +- [SYN Flood Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#syn-flood-protection): Protects against attacks such as fully randomized SYN and SYN-ACK floods. +- [Out-of-state TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/#out-of-state-tcp-protection): Protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. -To get started with Advanced TCP Protection, refer to [Setup](/ddos-protection/tcp-protection/setup/). +Each protection type is configured independently using rules and (optionally) filters. You should configure at least one rule for each type of protection before enabling Advanced TCP Protection. --- -Advanced TCP Protection offers two types of protection: - -- [SYN Flood Protection](#syn-flood-protection): Protects against attacks such as fully randomized SYN and SYN-ACK floods. -- [Out-of-state TCP Protection](#out-of-state-tcp-protection): Protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. - -Each protection type is configured independently using rules and (optionally) filters. You should configure at least one rule for each type of protection before enabling Advanced TCP Protection. - ## SYN Flood Protection This system protects against attacks such as fully randomized SYN and SYN-ACK floods. You should configure at least one SYN flood rule before enabling Advanced TCP Protection. -In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets. +In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets. -For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/tcp-protection/rule-settings/). +For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/). ## Out-of-state TCP Protection This system protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. You should configure one out-of-state TCP rule before enabling Advanced TCP Protection. -In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets. +In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets. + +For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/). -For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/tcp-protection/rule-settings/). +--- + +## Setup + +[Create a global configuration](/ddos-protection/advanced-ddos-systems/setup/#3-create-a-global-configuration) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection. + +--- + +## Availability + +Advanced TCP Protection is available to all [Magic Transit](/magic-transit/) customers, and is disabled by default. Protection for simpler TCP-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). diff --git a/src/content/docs/ddos-protection/tcp-protection/mitigation-reasons.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx similarity index 99% rename from src/content/docs/ddos-protection/tcp-protection/mitigation-reasons.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx index d14bb9b401ed227..20fbfc6e2563cc4 100644 --- a/src/content/docs/ddos-protection/tcp-protection/mitigation-reasons.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx @@ -2,7 +2,7 @@ title: Mitigation reasons pcx_content_type: reference sidebar: - order: 10 + order: 3 head: - tag: title content: Advanced TCP Protection mitigation reasons diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx new file mode 100644 index 000000000000000..7b116e7b1163c34 --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx @@ -0,0 +1,35 @@ +--- +title: Overview +pcx_content_type: overview +sidebar: + order: 1 + label: General settings +head: + - tag: title + content: Advanced DDoS Protection systems + +--- + +import { GlossaryTooltip } from "~/components" + +Advanced DDoS Protection systems are configured using the general settings, [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/), and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/). + +## General settings + +General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement. To configure the general settings, refer to [Setup](/ddos-protection/advanced-ddos-systems/setup/). + +### Thresholds + +Thresholds are based on your network's unique traffic, they define the sensitivity levels, and are configured by Cloudflare. + +### Prefixes + +Add prefixes to instruct the system on which traffic to route through the system. + +### Rules + +Create rules for the TCP and DNS Protection systems to enable mitigation. Start with Monitoring mode. + +### Enablement + +Enable the Advanced DDoS system and begin routing traffic through it. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/tcp-protection/rule-settings.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx similarity index 90% rename from src/content/docs/ddos-protection/tcp-protection/rule-settings.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx index acdd628194ef163..46b5bdedd7c060f 100644 --- a/src/content/docs/ddos-protection/tcp-protection/rule-settings.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx @@ -20,7 +20,7 @@ Advanced TCP Protection rules can have one of the following scopes: The rule scope allows you to adjust the system's tolerance for out-of-state packets in locations where you may have more or less traffic than usual, or due to any other networking reasons. -Besides defining rules with one of the above scopes, you must also select the [prefixes](/ddos-protection/tcp-protection/concepts/#prefixes) that you wish to protect with Advanced TCP Protection. +Besides defining rules with one of the above scopes, you must also select the [prefixes](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) that you wish to protect with Advanced TCP Protection. ## Mode @@ -30,7 +30,8 @@ The Advanced TCP Protection system constantly learns your TCP connections to mit - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. - **​​Mitigation (Enabled)** - - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/tcp-protection/concepts/#allowlist). + - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist). + - **Disabled** - In this mode, a rule will not evaluate any incoming packets. @@ -55,6 +56,10 @@ The default rate sensitivity is _Medium_. ## Profile sensitivity +:::note +Profile sensitivity is available for Advanced DNS Protection only. +::: + The sensitivity to DNS queries that have not been recently seen. - A higher sensitivity level means that the mitigation system will begin mitigating faster. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx new file mode 100644 index 000000000000000..0dd1c88a55d701b --- /dev/null +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx @@ -0,0 +1,46 @@ +--- +title: Advanced DDoS Protection setup +pcx_content_type: how-to +sidebar: + order: 2 + label: Setup + +--- + +import { GlossaryTooltip, Render } from "~/components" + +Follow the steps described in the below to get started with Advanced DDoS Protection systems. + +## 1. Request initial configuration + +When you get access to Advanced DDoS Protection systems, there are no configured thresholds in your account. + +Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) will be for your specific case. + +Ask your Implementation Manager to configure initial threshold values. + +Once thresholds are configured, the Implementation Manager will let you know that Advanced DDoS Protection systems have been initialized and can be configured and enabled. + +## 2. Add prefixes + +[Add the prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/) or a subset of these prefixes. + +You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals. + +## 3. Create a global configuration + +[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/) for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets. + +Optionally, you can create [filters](/ddos-protection/advanced-ddos-systems/concepts/#filter) for each protection system component (SYN flood protection and out-of-state TCP protection). + +## 4. (Optional) Add IP addresses or prefixes to the allowlist + +[Add prefixes to the allowlist](/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/) if their traffic should bypass Advanced DDoS Protection rules. + +The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. To exclude a subset of an onboarded prefix from Advanced TCP Protection, refer to [Exclude a prefix or a prefix subset](/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/). + +## 5. Enable Advanced DDoS Protection + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. +3. Under **General settings**, toggle the feature status **On**. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/index.mdx b/src/content/docs/ddos-protection/index.mdx index bda28b4cb7fc3b9..c0352c47a03462e 100644 --- a/src/content/docs/ddos-protection/index.mdx +++ b/src/content/docs/ddos-protection/index.mdx @@ -34,12 +34,12 @@ Protect against a variety of DDoS attacks across layers 3/4 (network layer) and Get increased protection against sophisticated DDoS attacks on layer 7 and layers 3/4. - -Detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods, or SYN and SYN-ACK floods. + +Detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods, or SYN and SYN-ACK floods. - -Protect against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks. + +Protect against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks. --- diff --git a/src/content/docs/ddos-protection/tcp-protection/api/index.mdx b/src/content/docs/ddos-protection/tcp-protection/api/index.mdx deleted file mode 100644 index 360e819d2afff86..000000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/api/index.mdx +++ /dev/null @@ -1,140 +0,0 @@ ---- -type: overview -pcx_content_type: reference -title: API configuration -sidebar: - order: 5 -head: - - tag: title - content: Configuring Advanced TCP Protection via API - ---- - -You can configure Advanced TCP Protection using the Advanced TCP Protection API. - -The Advanced TCP Protection API only supports [API token authentication](/fundamentals/api/get-started/create-token/). - -For examples of API calls, refer to [Common API calls](/ddos-protection/tcp-protection/api/examples/). - -## Endpoints - -To obtain the complete endpoint, append the Advanced TCP Protection API endpoints listed below to the Cloudflare API base URL. - -The Cloudflare API base URL is: - -```txt -https://api.cloudflare.com/client/v4 -``` - -The `{account_id}` argument is the account ID (a hexadecimal string). You can find this value in the Cloudflare dashboard. - -The tables in the following sections summarize the available operations. - -### General operations - - - -| Operation | Method and endpoint / Description | -| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Get Advanced TCP
Protection status |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Gets the global Advanced TCP Protection status (enabled or disabled). | -| Update Advanced
TCP Protection status |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_protection_status`

Enables or disables Advanced TCP Protection. | - - - -### Prefix operations - - - -| Operation | Method and endpoint / Description | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| List prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Fetches all Advanced TCP Protection prefixes in the account. | -| Add prefixes in bulk |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/bulk`

Adds prefixes in bulk to the account (up to 300 prefixes per request). | -| Get a prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Fetches the details of an existing prefix. | -| Update a prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Updates an existing prefix. | -| Delete a prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes/{prefix_id}`

Deletes an existing prefix. | -| Delete all prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/prefixes`

Deletes all existing prefixes from the account. | - - - -### Allowlist operations - - - -| Operation | Method and endpoint / Description | -| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List allowlisted prefixes |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Fetches all prefixes in the account allowlist. | -| Add an allowlisted prefix |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Adds a prefix to the allowlist. | -| Get an allowlisted prefix |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Fetches the details of an existing prefix in the allowlist. | -| Update an allowlisted prefix |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Updates an existing prefix in the allowlist. | -| Delete an allowlisted prefix |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist/{allowlist_id}`

Deletes an existing prefix from the allowlist. | -| Delete all allowlisted prefixes |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/allowlist`

Deletes all existing prefixes from the allowlist. | - - - -### SYN Flood Protection operations - -#### Rules - - - -| Operation | Method and endpoint / Description | -| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List SYN flood rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Fetches all SYN flood rules in the account. | -| Add a SYN flood rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Adds a SYN flood rule to the account. | -| Get a SYN flood rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Fetches the details of an existing SYN flood rule in the account. | -| Update a SYN flood rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Updates an existing SYN flood rule in the account. | -| Delete a SYN flood rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules/{rule_id}`

Deletes an existing SYN flood rule from the account. | -| Delete all SYN flood rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/rules`

Deletes all existing SYN flood rules from the account. | - - - -#### Filters - - - -| Operation | Method and endpoint / Description | -| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List SYN flood filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Fetches all SYN flood filters in the account. | -| Add a SYN flood filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Adds a SYN flood filter to the account. | -| Get a SYN flood filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Fetches the details of an existing SYN flood filter in the account. | -| Update a SYN flood filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Updates an existing SYN flood filter in the account. | -| Delete a SYN flood filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters/{filter_id}`

Deletes an existing SYN flood filter from the account. | -| Delete all SYN flood filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters`

Deletes all existing SYN flood filters from the account. | - - - -### Out-of-state TCP Protection operations - -#### Rules - - - -| Operation | Method and endpoint / Description | -| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List out-of-state TCP rules |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Fetches all out-of-state TCP rules in the account. | -| Add an out-of-state TCP rule |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Adds an out-of-state TCP rule to the account. | -| Get an out-of-state TCP rule |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Fetches the details of an existing out-of-state TCP rule in the account. | -| Update an out-of-state TCP rule |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Updates an existing out-of-state TCP rule in the account. | -| Delete an out-of-state TCP rule |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules/{rule_id}`

Deletes an existing out-of-state TCP rule from the account. | -| Delete all out-of-state TCP rules |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/rules`

Deletes all existing out-of-state TCP rules from the account. | - - - -#### Filters - - - -| Operation | Method and endpoint / Description | -| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| List out-of-state TCP filters |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Fetches all out-of-state TCP filters in the account. | -| Add an out-of-state TCP filter |

`POST accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Adds an out-of-state TCP filter to the account. | -| Get an out-of-state TCP filter |

`GET accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Fetches the details of an existing out-of-state TCP filter in the account. | -| Update an out-of-state TCP filter |

`PATCH accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Updates an existing out-of-state TCP filter in the account. | -| Delete an out-of-state TCP filter |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters/{filter_id}`

Deletes an existing out-of-state TCP filter from the account. | -| Delete all out-of-state TCP filters |

`DELETE accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters`

Deletes all existing out-of-state TCP filters from the account. | - - - -## Pagination - -The API operations that return a list of items use pagination. For more information on the available pagination query parameters, refer to [Pagination](/fundamentals/api/how-to/make-api-calls/#pagination). diff --git a/src/content/docs/ddos-protection/tcp-protection/how-to/create-rule.mdx b/src/content/docs/ddos-protection/tcp-protection/how-to/create-rule.mdx deleted file mode 100644 index b82b41e0f10f03e..000000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/how-to/create-rule.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Create a rule -pcx_content_type: how-to -sidebar: - order: 4 -head: - - tag: title - content: Create an Advanced TCP Protection rule - ---- - -import { Render } from "~/components" - -To create a [SYN flood rule](/ddos-protection/tcp-protection/#syn-flood-protection) or an [out-of-state TCP](/ddos-protection/tcp-protection/#out-of-state-tcp-protection) rule: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Go to **L3/4 DDoS** > **Advanced Protection** > **Advanced TCP Protection**. -3. Depending on the rule you are creating, do one of the following: - - Under **SYN Flood Protection**, select **Create SYN flood rule**. - - Under **Out-of-state TCP Protection**, select **Create out-of-state TCP rule**. -4. In **Mode**, select a [mode](/ddos-protection/tcp-protection/rule-settings/#mode) for the rule. -5. Under **Set scope**, select a [scope](/ddos-protection/tcp-protection/rule-settings/#scope) for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center. -6. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) and [rate sensitivity](/ddos-protection/tcp-protection/rule-settings/#rate-sensitivity) of the rule (by default, _Medium_). The sensitivity levels are based on the initially configured thresholds for your specific case. -7. Select **Deploy**. - - diff --git a/src/content/docs/ddos-protection/tcp-protection/setup.mdx b/src/content/docs/ddos-protection/tcp-protection/setup.mdx deleted file mode 100644 index 55314c80741876d..000000000000000 --- a/src/content/docs/ddos-protection/tcp-protection/setup.mdx +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Setup -pcx_content_type: how-to -sidebar: - order: 3 - ---- - -import { GlossaryTooltip, Render } from "~/components" - -Follow the steps described in the following sections to get started with Advanced TCP Protection. - -## 1. Request initial configuration - -When you get access to Advanced TCP Protection, there are no configured thresholds in your account. - -Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/tcp-protection/rule-settings/#burst-sensitivity) will be for your specific case. - -Ask your Implementation Manager to configure initial threshold values. - -Once thresholds are configured, the Implementation Manager will let you know that Advanced TCP Protection has been initialized and can be configured and enabled. - -## 2. Add prefixes - -[Add the prefixes](/ddos-protection/tcp-protection/how-to/add-prefix/) you would like to use with Advanced TCP Protection. You will be able to register prefixes that you previously [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/) or a subset of these prefixes. - -You cannot add unapproved prefixes to Advanced TCP Protection. Contact your account team to get help with prefix approvals. - -## 3. (Optional) Add IP addresses or prefixes to the allowlist - -[Add prefixes to the allowlist](/ddos-protection/tcp-protection/how-to/add-prefix-allowlist/) if their traffic should bypass Advanced TCP Protection rules. - -The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. To exclude a subset of an onboarded prefix from Advanced TCP Protection, refer to [Exclude a prefix or a prefix subset](/ddos-protection/tcp-protection/how-to/exclude-prefix/). - -## 4. Create a global configuration - -[Create a rule](/ddos-protection/tcp-protection/how-to/create-rule/) for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets. - -Optionally, you can create [filters](/ddos-protection/tcp-protection/concepts/#filter) for each protection system component (SYN flood protection and out-of-state TCP protection). - -## 5. Enable Advanced TCP Protection - -1. In the Cloudflare dashboard, go to Account Home > **L3/4 DDoS** > **Advanced TCP Protection**. -2. Under **General settings**, toggle the feature status to **Enabled**. \ No newline at end of file From d46c4105a38c8db7639e385a146284dbc62e7338 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Mon, 30 Sep 2024 18:02:51 -0700 Subject: [PATCH 2/9] new links --- .../network-analytics-v2/index.mdx | 2 +- .../understand/main-dashboard.mdx | 4 ++-- .../api/tcp-protection/examples.mdx | 14 +++++++------- .../advanced-ddos-systems/concepts.mdx | 4 ++-- .../advanced-ddos-systems/how-to/create-filter.mdx | 2 +- .../overview/advanced-dns-protection.mdx | 4 ++-- .../managed-rulesets/network/index.mdx | 2 +- .../docs/ddos-protection/reference/alerts.mdx | 2 +- src/content/docs/magic-transit/ddos.mdx | 8 ++++---- .../ddos-protection/atp-filter-definition.mdx | 2 +- .../atp-filters-rules-precedence.mdx | 2 +- .../ddos-protection/ddos-attack-coverage.mdx | 4 ++-- src/content/plans/index.json | 4 ++-- 13 files changed, 27 insertions(+), 27 deletions(-) diff --git a/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx b/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx index a97a5142b24c641..edf0bb7064dd7a1 100644 --- a/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx +++ b/src/content/docs/analytics/graphql-api/migration-guides/network-analytics-v2/index.mdx @@ -113,6 +113,6 @@ The following example queries the top 20 logs of traffic dropped by mitigation s The `mitigationSystem` field can take one the following values: * `dosd` for [DDoS managed rulesets](/ddos-protection/managed-rulesets/) (Network-layer DDoS Attack Protection or HTTP DDoS Attack Protection). -* `flowtrackd` for [Advanced TCP Protection](/ddos-protection/tcp-protection/). +* `flowtrackd` for [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/). * `magic-firewall` for [Magic Firewall](/magic-firewall/). * Empty string for unmitigated traffic. diff --git a/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx b/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx index c9923463e19499c..f8b6ad9333466f8 100644 --- a/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx +++ b/src/content/docs/analytics/network-analytics/understand/main-dashboard.mdx @@ -25,8 +25,8 @@ The following table contains a summary of what is shown in each tab: | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | | **All traffic** | Traffic dropped by DDoS managed rules, Advanced TCP Protection, Advanced DNS Protection, and Magic Firewall, and traffic passed to the origin server. | Traffic dropped and passed by DDoS managed rules. | | **DDoS managed
rules** | Traffic dropped and passed by [DDoS managed rules](/ddos-protection/managed-rulesets/). | Traffic dropped and passed by [DDoS managed rules](/ddos-protection/managed-rulesets/). | -| **TCP
Protection** | Traffic dropped and passed by the [Advanced TCP Protection](/ddos-protection/tcp-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | -| **DNS
Protection** | Traffic dropped and passed by the [Advanced DNS Protection](/ddos-protection/dns-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | +| **TCP
Protection** | Traffic dropped and passed by the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | +| **DNS
Protection** | Traffic dropped and passed by the [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) system. Does not include traffic dropped by DDoS managed rules. | N/A | | **Magic Firewall** | Traffic dropped by [Magic Firewall](/magic-firewall/) and traffic passed to the origin server. Does not include traffic dropped by DDoS managed rules, Advanced TCP Protection, or Advanced DNS Protection. | N/A | diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx index 1ecd5daea218e45..0573733109c1557 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx @@ -6,7 +6,7 @@ sidebar: --- -The following sections contain example requests for common API calls. For a list of available API endpoints, refer to [Endpoints](/ddos-protection/tcp-protection/api/#endpoints). +The following sections contain example requests for common API calls. For a list of available API endpoints, refer to [Endpoints](/ddos-protection/advanced-ddos-systems/api/tcp-protection/#endpoints). ## Get Advanced TCP Protection status @@ -207,7 +207,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. ## Create an out-of-state TCP rule @@ -244,11 +244,11 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. ## Create a SYN flood filter -This example `POST` request creates a SYN flood [filter](/ddos-protection/tcp-protection/concepts/#filter), setting SYN flood protection to monitoring mode for a specific range of destination IP addresses. +This example `POST` request creates a SYN flood [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter), setting SYN flood protection to monitoring mode for a specific range of destination IP addresses. ```bash title="Request" curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_tcp_protection/configs/syn_protection/filters \ @@ -275,11 +275,11 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. ## Create an out-of-state TCP filter -This example `POST` request creates an out-of-state TCP [filter](/ddos-protection/tcp-protection/concepts/#filter), disabling out-of-state TCP protection for a specific range of destination IP addresses and ports. +This example `POST` request creates an out-of-state TCP [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter), disabling out-of-state TCP protection for a specific range of destination IP addresses and ports. ```bash title="Request" curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_tcp_protection/configs/tcp_flow_protection/filters \ @@ -306,4 +306,4 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/tcp-protection/api/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx index 54d9c74085bbb32..415305cb15d4b59 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx @@ -32,7 +32,7 @@ For example, you could add prefixes used only by partners of your company to the ## Rule -A rule configures Advanced TCP Protection for a given [scope](/ddos-protection/tcp-protection/rule-settings/#scope), according to several [settings](/ddos-protection/tcp-protection/rule-settings/): execution mode, burst sensitivity, and rate sensitivity. +A rule configures Advanced TCP Protection for a given [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope), according to several [settings](/ddos-protection/advanced-ddos-systems/rule-settings/): execution mode, burst sensitivity, and rate sensitivity. Each system component (SYN flood protection and out-of-state TCP protection) has its own list of rules, and it should have at least one rule. @@ -48,7 +48,7 @@ Each Advanced TCP Protection system component has its own filters. You can confi When there is a match, a filter will alter the execution mode for all configured rules in a given system component (SYN flood protection or out-of-state TCP protection), including disabled rules. -For instructions on creating filters in the Cloudflare dashboard, refer to [Create a filter](/ddos-protection/tcp-protection/how-to/create-filter/). For API examples, refer to [Common API calls](/ddos-protection/tcp-protection/api/examples/). +For instructions on creating filters in the Cloudflare dashboard, refer to [Create a filter](/ddos-protection/advanced-ddos-systems/how-to/create-filter/). For API examples, refer to [Common API calls](/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples/). ### Example use case diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx index d9f64aecc848673..21628fb2487c71b 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx @@ -17,7 +17,7 @@ Each protection system component (SYN flood protection or out-of-state TCP prote ## Procedure -To create a [filter](/ddos-protection/tcp-protection/concepts/#filter) for one of the system components: +To create a [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter) for one of the system components: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. Go to **L3/4 DDoS** > **Advanced Protection** > **Advanced TCP Protection**. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx index 77530df22640b11..e48c9509a1a5570 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx @@ -33,7 +33,7 @@ The [Network Analytics dashboard](/analytics/network-analytics/) will display sy If you cannot find any data related to Advanced DNS Protection in the **DNS Protection** tab of Network Analytics, it could be because one of these reasons: -- You did not [add your prefixes](/ddos-protection/tcp-protection/how-to/add-prefix/) to Advanced L3/4 DDoS Protection. +- You did not [add your prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) to Advanced L3/4 DDoS Protection. - Cloudflare did not enable the Advanced DNS Protection system yet. - You do not have any DNS over UDP traffic. @@ -45,7 +45,7 @@ Cloudflare collects DNS-related data such as query type (for example, `A` record :::caution -Currently, to disable this data collection you must remove your prefixes either in the Cloudflare dashboard or through the [Delete a prefix](/ddos-protection/tcp-protection/api/#prefix-operations) API operation. However, this procedure will remove the prefixes from both Advanced DNS Protection and [Advanced TCP Protection](/ddos-protection/tcp-protection/). +Currently, to disable this data collection you must remove your prefixes either in the Cloudflare dashboard or through the [Delete a prefix](/ddos-protection/advanced-ddos-systems/api/tcp-protection/#prefix-operations) API operation. However, this procedure will remove the prefixes from both Advanced DNS Protection and [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/). ::: --- diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx index 141853a417cfbb2..28a671ae9780172 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/network/index.mdx @@ -49,7 +49,7 @@ However, only Magic Transit and Spectrum customers on an Enterprise plan can cus Magic Transit customers can configure the following additional products: -- Enable [Advanced TCP Protection](/ddos-protection/tcp-protection/) to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. +- Enable [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. - Create custom [Magic Firewall](/magic-firewall/) rules to block additional network-layer attacks. Spectrum customers can use [IP Access](/waf/tools/ip-access-rules/) rules to block additional network-layer attacks. diff --git a/src/content/docs/ddos-protection/reference/alerts.mdx b/src/content/docs/ddos-protection/reference/alerts.mdx index a6f9996c88e24bc..788c5c8bfe78bbe 100644 --- a/src/content/docs/ddos-protection/reference/alerts.mdx +++ b/src/content/docs/ddos-protection/reference/alerts.mdx @@ -90,6 +90,6 @@ To investigate a possibly ongoing attack, select **View Dashboard**. To go to th - Spectrum and Magic Transit customers using [assigned Cloudflare IP addresses](/magic-transit/cloudflare-ips/) will receive layer 3/4 DDoS attack alerts where the attacked target is the Cloudflare IP or prefix. If you have [brought your own IP (BYOIP)](/byoip/) to Cloudflare Spectrum or Magic Transit, you will see your own IP addresses or prefixes as the attacked target. - In some cases, HTTP DDoS attack alerts will reference the attacked zone name instead of the attacked hostname. This occurs when the attack signature does not include information on the attacked hostname because it is not a strong indicator for identifying attack requests. For more information on attack signatures, refer to [How DDoS protection works](/ddos-protection/about/how-ddos-protection-works/). -- DDoS alerts are currently only available for DDoS attacks detected and mitigated by the [DDoS managed rulesets](/ddos-protection/managed-rulesets/). Alerts are not yet available for DDoS attacks detected and mitigated by the [Advanced TCP Protection](/ddos-protection/tcp-protection/) and the [Advanced DNS Protection](/ddos-protection/dns-protection/) system. +- DDoS alerts are currently only available for DDoS attacks detected and mitigated by the [DDoS managed rulesets](/ddos-protection/managed-rulesets/). Alerts are not yet available for DDoS attacks detected and mitigated by the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and the [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) system. - You will not receive duplicate DDoS alerts within the same one-hour time frame. - If you configure more than one alert type for the same kind of attack (for example, both an HTTP DDoS Attack Alert and an Advanced HTTP DDoS Attack Alert) you may get more than one notification when an attack occurs. To avoid receiving duplicate notifications, delete one of the configured alerts. diff --git a/src/content/docs/magic-transit/ddos.mdx b/src/content/docs/magic-transit/ddos.mdx index 17987783a244abc..31bf4830f5b4211 100644 --- a/src/content/docs/magic-transit/ddos.mdx +++ b/src/content/docs/magic-transit/ddos.mdx @@ -11,8 +11,8 @@ head: Cloudflare DDoS protection automatically detects and mitigates Distributed Denial of Service (DDoS) attacks using its Autonomous Edge. Magic Transit customers have access to additional features, such as: -- [Advanced TCP protection](/ddos-protection/tcp-protection/) (disabled by default) -- [Advanced DNS protection (beta)](/ddos-protection/dns-protection/) +- [Advanced TCP protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) (disabled by default) +- [Advanced DNS protection (beta)](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) Refer to [Cloudflare DDoS documentation](/ddos-protection/) for more information. @@ -23,6 +23,6 @@ Refer to [Cloudflare DDoS documentation](/ddos-protection/) for more information The execution order of the different mitigation systems for Magic Transit customers is the following: 1. [DDoS managed rulesets](/ddos-protection/managed-rulesets/) -2. [Advanced TCP Protection](/ddos-protection/tcp-protection/) -3. [Advanced DNS Protection](/ddos-protection/dns-protection/) +2. [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) +3. [Advanced DNS Protection](/ddos-protection/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) 4. [Magic Firewall](/magic-firewall/) diff --git a/src/content/partials/ddos-protection/atp-filter-definition.mdx b/src/content/partials/ddos-protection/atp-filter-definition.mdx index 94d007561a9c14d..68623b6f614c8e0 100644 --- a/src/content/partials/ddos-protection/atp-filter-definition.mdx +++ b/src/content/partials/ddos-protection/atp-filter-definition.mdx @@ -3,4 +3,4 @@ --- -A filter modifies Advanced TCP Protection's [execution mode](/ddos-protection/tcp-protection/rule-settings/#mode) — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. +A filter modifies Advanced TCP Protection's [execution mode](/ddos-protection/advanced-ddos-systems/rule-settings/#mode) — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. diff --git a/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx b/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx index 012d96a4f789080..856694a96d0c99c 100644 --- a/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx +++ b/src/content/partials/ddos-protection/atp-filters-rules-precedence.mdx @@ -5,5 +5,5 @@ :::note[Note] -Filters take precedence over rules. For details on how the execution mode is determined, refer to [Determining the execution mode](/ddos-protection/tcp-protection/concepts/#determining-the-execution-mode). +Filters take precedence over rules. For details on how the execution mode is determined, refer to [Determining the execution mode](/ddos-protection/advanced-ddos-systems/concepts/#determining-the-execution-mode). ::: diff --git a/src/content/partials/ddos-protection/ddos-attack-coverage.mdx b/src/content/partials/ddos-protection/ddos-attack-coverage.mdx index 61bb3b0ae516e10..3ebded33d021006 100644 --- a/src/content/partials/ddos-protection/ddos-attack-coverage.mdx +++ b/src/content/partials/ddos-protection/ddos-attack-coverage.mdx @@ -8,8 +8,8 @@ import { GlossaryTooltip } from "~/components" | OSI Layer | Ruleset / Feature | Example of covered DDoS attack vectors | | --------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | L3/4 | [Network-layer DDoS Attack Protection](/ddos-protection/managed-rulesets/network/) | UDP flood attack
SYN floods
SYN-ACK reflection attack
ACK floods
Mirai and Mirai-variant L3/4 attacks
ICMP flood attack
SNMP flood attack
QUIC flood attack
Out of state TCP attacks
Protocol violation attacks
SIP attacks
ESP flood
DNS amplification attack
DNS Garbage Flood
DNS NXDOMAIN flood
DNS Query flood

For more DNS protection options, refer to [Getting additional DNS protection](/ddos-protection/about/attack-coverage/#getting-additional-dns-protection). | -| L3/4 | [Advanced TCP Protection](/ddos-protection/tcp-protection/) [^1] | Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks | -| L7 | [Advanced DNS Protection](/ddos-protection/dns-protection/) [^1] | Sophisticated and fully randomized DNS attacks, including random-prefix attacks and DNS laundering attacks | +| L3/4 | [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) [^1] | Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks | +| L7 | [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) [^1] | Sophisticated and fully randomized DNS attacks, including random-prefix attacks and DNS laundering attacks | | L7 (HTTP/HTTPS) | [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/) | HTTP flood attack
WordPress pingback attack
HULK attack
LOIC attack
Slowloris attack
Mirai and Mirai-variant HTTP attacks | [^1]: Available to Magic Transit customers. diff --git a/src/content/plans/index.json b/src/content/plans/index.json index 72c05d5690fa1ea..6ad580b84bd2d38 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -1406,7 +1406,7 @@ }, "tcp_protection": { "title": "Advanced TCP Protection", - "link": "/ddos-protection/tcp-protection/", + "link": "/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/", "free": "Available to [Magic Transit](/magic-transit/) customers", "pro": "Available to [Magic Transit](/magic-transit/) customers", "biz": "Available to [Magic Transit](/magic-transit/) customers", @@ -1415,7 +1415,7 @@ }, "u_dns_protection": { "title": "Advanced DNS Protection", - "link": "/ddos-protection/dns-protection/", + "link": "/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/", "free": "Available to [Magic Transit](/magic-transit/) customers", "pro": "Available to [Magic Transit](/magic-transit/) customers", "biz": "Available to [Magic Transit](/magic-transit/) customers", From 26f4529ad2a36f14b27cf7f39a828b2af9a03c03 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 1 Oct 2024 07:48:06 -0700 Subject: [PATCH 3/9] fix broken link --- src/content/docs/magic-transit/ddos.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-transit/ddos.mdx b/src/content/docs/magic-transit/ddos.mdx index 31bf4830f5b4211..eb2d05fb3564941 100644 --- a/src/content/docs/magic-transit/ddos.mdx +++ b/src/content/docs/magic-transit/ddos.mdx @@ -24,5 +24,5 @@ The execution order of the different mitigation systems for Magic Transit custom 1. [DDoS managed rulesets](/ddos-protection/managed-rulesets/) 2. [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) -3. [Advanced DNS Protection](/ddos-protection/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) +3. [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) 4. [Magic Firewall](/magic-firewall/) From a6bdea36a379cd7f6c4dc70be5d3d4f6f99db58a Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 1 Oct 2024 10:59:49 -0700 Subject: [PATCH 4/9] concepts wording --- .../advanced-ddos-systems/concepts.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx index 415305cb15d4b59..1dd23fa85d1b5cf 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx @@ -13,26 +13,26 @@ import { GlossaryTooltip, Render } from "~/components" ## Prefixes -Advanced TCP Protection protects the IP prefixes you select from sophisticated TCP attacks. A prefix can be an IP address or an IP range in CIDR format. You must add prefixes to Advanced TCP Protection so that Cloudflare can analyze incoming packets and offer protection against sophisticated TCP DDoS attacks. +Advanced DDoS Protection protects the IP prefixes you select from sophisticated DDoS attacks. A prefix can be an IP address or an IP range in CIDR format. You must add prefixes to Advanced DDoS Protection so that Cloudflare can analyze incoming packets and offer protection against sophisticated TCP DDoS attacks. -Prefixes added to Advanced TCP Protection must be one of the following: +Prefixes added to Advanced DDoS Protection must be one of the following: - A prefix [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/). - A subset of a prefix [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/). -You cannot add a prefix (or a subset of a prefix) that you have not onboarded to Magic Transit or whose status is still -Unapproved-. Contact your account team to get help with prefix approvals. +You cannot add a prefix (or a subset of a prefix) that you have not onboarded to Magic Transit or whose status is still _Unapproved_. Contact your account team to get help with prefix approvals. ## Allowlist -The Advanced TCP Protection allowlist is a list of prefixes that will bypass all configured Advanced TCP Protection rules. +The Advanced DDoS Protection allowlist is a list of prefixes that will bypass all configured Advanced DDoS Protection rules. -For example, you could add prefixes used only by partners of your company to the allowlist so that they are exempt from packet inspection and mitigation actions performed by Advanced TCP Protection. +For example, you could add prefixes used only by partners of your company to the allowlist so that they are exempt from packet inspection and mitigation actions performed by Advanced DDoS Protection. ## Rule -A rule configures Advanced TCP Protection for a given [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope), according to several [settings](/ddos-protection/advanced-ddos-systems/rule-settings/): execution mode, burst sensitivity, and rate sensitivity. +A rule configures Advanced DDoS Protection for a given [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope), according to several [settings](/ddos-protection/advanced-ddos-systems/rule-settings/): execution mode, burst sensitivity, and rate sensitivity. Each system component (SYN flood protection and out-of-state TCP protection) has its own list of rules, and it should have at least one rule. @@ -40,7 +40,7 @@ Each system component (SYN flood protection and out-of-state TCP protection) has The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional. -Each Advanced TCP Protection system component has its own filters. You can configure a filter for each execution mode: +Each system component has its own filters. You can configure a filter for each execution mode: - **Mitigation Filter**: The system will drop packets matching the filter expression. - **Monitoring Filter**: The system will log packets matching the filter expression. From ee2b575e0cd5d0ee06affa753646383604330339 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 1 Oct 2024 14:05:47 -0700 Subject: [PATCH 5/9] fix step --- .../advanced-ddos-systems/how-to/exclude-prefix.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx index 47cd9ce6c548356..0800eea999fd942 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix.mdx @@ -9,7 +9,7 @@ sidebar: To exclude a prefix or a prefix subset from Advanced DDoS Protection: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Go to Account Home > **L3/4 DDoS** > **Advanced TCP Protection**. +2. Go to **L3/4 DDoS** > **Advanced Protection**. 3. [Add the prefix](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you previously onboarded to Magic Transit to Advanced TCP Protection. 4. [Add the prefix](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) (or subset) you wish to exclude as a new, separate prefix in Advanced TCP Protection. 5. For the prefix you added in the previous step, select **Exclude Subset** in the **Enrolled Prefixes** list. From 89f0c14e58b4c37932ba95efc4c698190bb17804 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 1 Oct 2024 14:07:27 -0700 Subject: [PATCH 6/9] add link to note --- .../ddos-protection/advanced-ddos-systems/rule-settings.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx index 46b5bdedd7c060f..423eda98367bc5a 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx @@ -57,7 +57,7 @@ The default rate sensitivity is _Medium_. ## Profile sensitivity :::note -Profile sensitivity is available for Advanced DNS Protection only. +Profile sensitivity is available for [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) only. ::: The sensitivity to DNS queries that have not been recently seen. From 2c7924c9ebce03d5ea127e73cd304bb86c9ca6a0 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 1 Oct 2024 14:36:22 -0700 Subject: [PATCH 7/9] redirects --- public/_redirects | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/public/_redirects b/public/_redirects index b50008478dd6e91..01909218113be50 100644 --- a/public/_redirects +++ b/public/_redirects @@ -295,17 +295,24 @@ # ddos-protection /ddos-protection/change-log/http/2022-09-19-emergency-emergency/ /ddos-protection/change-log/http/2022-09-19-emergency/ /ddos-protection/change-log/http/2022-12-07-emergency-emergency/ /ddos-protection/change-log/http/2022-12-07-emergency/ -/ddos-protection/managed-rulesets/tcp-protection/ /ddos-protection/tcp-protection/ 301 /ddos-protection/managed-rulesets/http/location-aware-protection/ /ddos-protection/managed-rulesets/adaptive-protection/ 301 /ddos-protection/managed-rulesets/network/fields/ /ddos-protection/managed-rulesets/network/override-expressions/ 301 /support/about-cloudflare/attack-preparation-and-response/responding-to-ddos-attacks/ /ddos-protection/best-practices/respond-to-ddos-attacks/ 301 /support/about-cloudflare/attack-preparation-and-response/understanding-cloudflare-ddos-protection/ /ddos-protection/about/ 301 /ddos-protection/change-log/global-changes/ /ddos-protection/change-log/general-updates/ 301 -# Redirect the following pages temporarily (using HTTP 307 Temporary redirect) -/ddos-protection/dns-protection/rule-settings/ /ddos-protection/dns-protection/ 307 -/ddos-protection/dns-protection/api/ /ddos-protection/dns-protection/ 307 -/ddos-protection/dns-protection/api/examples/ /ddos-protection/dns-protection/ 307 -/ddos-protection/dns-protection/api/json-objects/ /ddos-protection/dns-protection/ 307 +/ddos-protection/tcp-protection/api/examples/ /ddos-protection/advanced-ddos-systems/api/tcp-protection/examples/ 301 +/ddos-protection/tcp-protection/api/json-objects/ /ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/ 301 +/ddos-protection/tcp-protection/concepts/ /ddos-protection/advanced-ddos-systems/concepts/ 301 +/ddos-protection/tcp-protection/how-to/add-prefix-allowlist/ /ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/ 301 +/ddos-protection/tcp-protection/how-to/add-prefix/ /ddos-protection/advanced-ddos-systems/how-to/add-prefix/ 301 +/ddos-protection/tcp-protection/how-to/create-filter/ /ddos-protection/advanced-ddos-systems/how-to/create-filter/ 301 +/ddos-protection/tcp-protection/how-to/exclude-prefix/ /ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/ 301 +/ddos-protection/tcp-protection/how-to/ /ddos-protection/advanced-ddos-systems/how-to/ 301 +/ddos-protection/tcp-protection/ /ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/ 301 +/ddos-protection/tcp-protection/mitigation-reasons/ /ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons/ 301 +/ddos-protection/tcp-protection/rule-settings/ /ddos-protection/advanced-ddos-systems/rule-settings/ 301 +/ddos-protection/dns-protection/ /ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/ 301 +/ddos-protection/tcp-protection/api/ /ddos-protection/advanced-ddos-systems/api/ 301 # dmarc-management /dmarc-management/manage-sources/ /dmarc-management/ 301 From 41c68eb0737bca7f5eeeb23154f7ae5a92f38b99 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Fri, 25 Oct 2024 14:39:36 -0700 Subject: [PATCH 8/9] feedback updates --- .../advanced-ddos-systems/concepts.mdx | 87 +++++++++++++++++++ .../how-to/create-filter.mdx | 4 + .../overview/advanced-dns-protection.mdx | 21 ++--- .../index.mdx => advanced-tcp-protection.mdx} | 24 ++--- .../mitigation-reasons.mdx | 30 ------- .../advanced-ddos-systems/overview/index.mdx | 46 ++++++++-- .../advanced-ddos-systems/rule-settings.mdx | 68 --------------- .../advanced-ddos-systems/setup.mdx | 46 ---------- src/content/docs/ddos-protection/index.mdx | 2 +- 9 files changed, 147 insertions(+), 181 deletions(-) rename src/content/docs/ddos-protection/advanced-ddos-systems/overview/{advanced-tcp-protection/index.mdx => advanced-tcp-protection.mdx} (74%) delete mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx delete mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx delete mode 100644 src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx index 1dd23fa85d1b5cf..003e38c1ac6e339 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx @@ -36,6 +36,67 @@ A rule configures Advanced DDoS Protection for a given [scope](/ddos-protection/ Each system component (SYN flood protection and out-of-state TCP protection) has its own list of rules, and it should have at least one rule. +### Rule settings +Each rule type has the following settings: scope, mode, burst sensitivity, and rate sensitivity. + +You may need to adjust the burst or rate sensitivity of a rule in case of false positives or due to specific traffic patterns. + +#### Scope + +Advanced TCP Protection rules can have one of the following scopes: + +- **Global**: The rule will apply to all incoming packets. +- **Region**: The rule will apply to incoming packets in a selected region. +- **Data center**: The rule will apply to incoming packets in the selected Cloudflare data center. + +The rule scope allows you to adjust the system's tolerance for out-of-state packets in locations where you may have more or less traffic than usual, or due to any other networking reasons. + +Besides defining rules with one of the above scopes, you must also select the [prefixes](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) that you wish to protect with Advanced TCP Protection. + +#### Mode + +The Advanced TCP Protection system constantly learns your TCP connections to mitigate DDoS attacks. Advanced TCP Protection rules can have one of the following execution modes: monitoring, mitigation (enabled), or disabled. + +- **Monitoring** + - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. + +- **​​Mitigation (Enabled)** + - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist). + +- **Disabled** + - In this mode, a rule will not evaluate any incoming packets. + +#### Burst sensitivity + +The burst sensitivity is the rule's sensitivity to short-term bursts in the packet rate: + +- A low sensitivity means that bigger spikes in the packet rate may trigger a mitigation action. +- A high sensitivity means that smaller spikes in the packet rate may trigger a mitigation action. + +The default burst sensitivity is _Medium_. + +#### Rate sensitivity + +The rate sensitivity is the rule's sensitivity to the sustained packet rate: + +- A low sensitivity means that higher sustained packet rates can trigger a mitigation action. +- A high sensitivity means that lower sustained packet rates may trigger a mitigation action. A high sensitivity offers increased protection, but you may get more false positives (that is, mitigated packets that belong to legitimate traffic). + +The default rate sensitivity is _Medium_. + +#### Profile sensitivity + +:::note +Profile sensitivity is available for [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) only. +::: + +The sensitivity to DNS queries that have not been recently seen. + +- A higher sensitivity level means that the mitigation system will begin mitigating faster. +- A lower sensitivity provides more tolerance for potentially suspicious DNS queries. + +The default rate sensitivity is _Medium_. + ## Filter The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional. @@ -70,3 +131,29 @@ When you have both rules and filters configured, the execution mode is determine 3. Off filter (filter with `disabled` mode) 2. If no filter matched, use the execution mode determined by existing rules. 3. If no rules match, disable Advanced TCP Protection. + +--- + +## Mitigation reasons + +The Advanced TCP Protection system applies mitigation actions for different reasons based on the connection states. The **Mitigation reason** field shown in the **Advanced TCP Protection** tab of the [Network Analytics](/analytics/network-analytics/) dashboard will contain more information on why a given packet was dropped by the system. + +The connection states are the following: + +- **New**: A SYN or SYN-ACK packet has been sent to attempt to open a new connection. +- **Open**: The three-way TCP handshake has been completed and the TCP connection is open. +- **Closing**: A FIN or FIN-ACK packet has been seen attempting to close a connection. +- **Closed**: The closing three-way handshake has been completed, or an RST packet has closed the connection. + +The mitigation reasons are the following: + +| Reason | Description | +| --- | --- | +| **Unexpected** | Packet dropped because it was not expected given the current state of the TCP connection it was associated with. | +| **Challenge needed** | Packet challenged because the system determined that the packet is most likely part of a packet flood. | +| **Challenge passed** | Packet dropped because it belongs to a solved challenge. | +| **Not found** | Packet dropped because it is not part of an existing TCP connection and it is not establishing a new connection. | +| **Out of sequence** | Packet dropped because its properties (for example, TCP flags or sequence numbers) do not match the expected values for the existing connection. | +| **Already closed** | Packet dropped because it belongs to a connection that is already closed. | + +Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx index 21628fb2487c71b..3864f78704a6764 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx @@ -15,6 +15,10 @@ import { GlossaryTooltip, Render } from "~/components" Each protection system component (SYN flood protection or out-of-state TCP protection) should have at least one [rule](/ddos-protection/advanced-ddos-systems/concepts/#rule), but filters are optional. +:::note +Filters only apply to Advanced TCP Protection. +::: + ## Procedure To create a [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter) for one of the system components: diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx index e48c9509a1a5570..2e69fb4c55092cb 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx @@ -25,17 +25,6 @@ The [Network Analytics dashboard](/analytics/network-analytics/) will display sy [Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/#create-an-advanced-dns-protection-rule) to enable Advanced DNS Protection. ---- - -## Troubleshooting - -### No data about Advanced DNS Protection in Network Analytics - -If you cannot find any data related to Advanced DNS Protection in the **DNS Protection** tab of Network Analytics, it could be because one of these reasons: - -- You did not [add your prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) to Advanced L3/4 DDoS Protection. -- Cloudflare did not enable the Advanced DNS Protection system yet. -- You do not have any DNS over UDP traffic. --- @@ -50,11 +39,15 @@ Currently, to disable this data collection you must remove your prefixes either --- -## Availability +## Troubleshooting -Advanced DNS Protection is currently available to [Magic Transit](/magic-transit/) customers. +### No data about Advanced DNS Protection in Network Analytics -Protection for simpler DNS-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). +If you cannot find any data related to Advanced DNS Protection in the **DNS Protection** tab of Network Analytics, it could be because one of these reasons: + +- You did not [add your prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) to Advanced L3/4 DDoS Protection. +- Cloudflare did not enable the Advanced DNS Protection system yet. +- You do not have any DNS over UDP traffic. --- diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx similarity index 74% rename from src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/index.mdx rename to src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx index ca2206ed5179fdc..6dc8d35f6f01979 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx @@ -11,6 +11,8 @@ head: Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. +## How it works + Advanced TCP Protection can simultaneously protect against different kinds of attacks: - Pinpointed attacks targeting a specific destination IP/port combination. @@ -25,32 +27,24 @@ The feature offers two types of protection: Each protection type is configured independently using rules and (optionally) filters. You should configure at least one rule for each type of protection before enabling Advanced TCP Protection. ---- - -## SYN Flood Protection +### SYN Flood Protection This system protects against attacks such as fully randomized SYN and SYN-ACK floods. You should configure at least one SYN flood rule before enabling Advanced TCP Protection. -In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets. +In mitigation mode, SYN flood rules will challenge new connection initiation requests (SYN, SYN-ACK) if they exceed the configured packet-per-second thresholds. The threshold should be higher than the normal rate of legitimate SYN and SYN-ACK packets that your network receives. Packets below the threshold will not be challenged. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) settings you can increase or decrease the tolerance of SYN and SYN-ACK packets. -For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/). +For more information on the configuration settings of SYN flood rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings). -## Out-of-state TCP Protection +### Out-of-state TCP Protection This system protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods. You should configure one out-of-state TCP rule before enabling Advanced TCP Protection. -In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets. +In mitigation mode, out-of-state TCP rules will drop out-of-state packets that do not belong to existing (and tracked) TCP connections if their rates exceed the configured thresholds. The threshold should be higher than the normal rate of non SYN or SYN-ACK TCP packets that your network receives. Packets below the threshold will not be evaluated. Using the [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) and [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) settings you can increase or decrease the tolerance of out-of-state TCP packets. -For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/). +For more information on the configuration settings of out-of-state TCP rules, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings). --- ## Setup -[Create a global configuration](/ddos-protection/advanced-ddos-systems/setup/#3-create-a-global-configuration) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection. - ---- - -## Availability - -Advanced TCP Protection is available to all [Magic Transit](/magic-transit/) customers, and is disabled by default. Protection for simpler TCP-based DDoS attacks is also included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). +[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx deleted file mode 100644 index 20fbfc6e2563cc4..000000000000000 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Mitigation reasons -pcx_content_type: reference -sidebar: - order: 3 -head: - - tag: title - content: Advanced TCP Protection mitigation reasons - ---- - -The Advanced TCP Protection system applies mitigation actions for different reasons based on the connection states. The **Mitigation reason** field shown in the **Advanced TCP Protection** tab of the [Network Analytics](/analytics/network-analytics/) dashboard will contain more information on why a given packet was dropped by the system. - -The connection states are the following: - -- **New**: A SYN or SYN-ACK packet has been sent to attempt to open a new connection. -- **Open**: The three-way TCP handshake has been completed and the TCP connection is open. -- **Closing**: A FIN or FIN-ACK packet has been seen attempting to close a connection. -- **Closed**: The closing three-way handshake has been completed, or an RST packet has closed the connection. - -The mitigation reasons are the following: - -- **UNEXPECTED**: Packet dropped because it was not expected given the current state of the TCP connection it was associated with. -- **CHALLENGE_NEEDED**: Packet challenged because the system determined that the packet is most likely part of a packet flood. -- **CHALLENGE_PASSED**: Packet dropped because it belongs to a solved challenge. -- **NOT_FOUND**: Packet dropped because it is not part of an existing TCP connection and it is not establishing a new connection. -- **OUT_OF_SEQUENCE**: Packet dropped because its properties (for example, TCP flags or sequence numbers) do not match the expected values for the existing connection. -- **ALREADY_CLOSED**: Packet dropped because it belongs to a connection that is already closed. - -Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx index 7b116e7b1163c34..3da1252e96d3a31 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx @@ -10,26 +10,58 @@ head: --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip, Render } from "~/components" -Advanced DDoS Protection systems are configured using the general settings, [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/), and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/). +The Advanced DDoS Protection system includes [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/). Both systems are configured using the general settings, but also comprise of their own dedicated settings. + +Advanced DDoS Protection systems is available to [Magic Transit](/magic-transit/) customers. + +Protection for simpler TCP or DNS-based DDoS attacks is included as part of the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/). ## General settings -General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement. To configure the general settings, refer to [Setup](/ddos-protection/advanced-ddos-systems/setup/). +General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement. ### Thresholds -Thresholds are based on your network's unique traffic, they define the sensitivity levels, and are configured by Cloudflare. +Thresholds are based on your network's unique traffic and are configured by Cloudflare. The sensitivity levels manipulate the thresholds. + +When you get access to Advanced DDoS Protection systems, there are no configured thresholds in your account. + +Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) will be for your specific case. + +Ask your Implementation Manager to configure initial threshold values. Separate thresholds need to be configured for Advanced TCP Protection and Advanced DNS Protection. + +Once thresholds are configured, the Implementation Manager will let you know that Advanced DDoS Protection systems have been initialized and can be configured and enabled. ### Prefixes -Add prefixes to instruct the system on which traffic to route through the system. +The prefixes that you have [onboarded](/magic-transit/how-to/advertise-prefixes/) to and approved by Cloudflare instruct the system on which traffic to route through the system. + +[Add the prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/) or a subset of these prefixes. + +You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals. ### Rules -Create rules for the TCP and DNS Protection systems to enable mitigation. Start with Monitoring mode. +[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/) for Advanced TCP and Advanced DNS Protection (as needed) to enable mitigation. + +You can create a rule for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets. + +Optionally, you can create [filters](/ddos-protection/advanced-ddos-systems/concepts/#filter) for each protection system component (SYN flood protection and out-of-state TCP protection). + +### Prefixes + +Optionally, you can [add prefixes to the allowlist](/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/) if your traffic should bypass Advanced DDoS Protection rules. + +The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. You can also [exclude a subset of an onboarded prefix](/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/) from Advanced TCP Protection. + +Refer to [Concepts](/ddos-protection/advanced-ddos-systems/concepts/) for more information. ### Enablement -Enable the Advanced DDoS system and begin routing traffic through it. \ No newline at end of file +Enable the Advanced DDoS system and begin routing traffic through it. + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. +3. Under **General settings**, toggle the feature status **On**. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx deleted file mode 100644 index 423eda98367bc5a..000000000000000 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/rule-settings.mdx +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Rule settings -pcx_content_type: reference -sidebar: - order: 9 - ---- - -Each rule type has the following settings: scope, mode, burst sensitivity, and rate sensitivity. - -You may need to adjust the burst or rate sensitivity of a rule in case of false positives or due to specific traffic patterns. - -## Scope - -Advanced TCP Protection rules can have one of the following scopes: - -- **Global**: The rule will apply to all incoming packets. -- **Region**: The rule will apply to incoming packets in a selected region. -- **Data center**: The rule will apply to incoming packets in the selected Cloudflare data center. - -The rule scope allows you to adjust the system's tolerance for out-of-state packets in locations where you may have more or less traffic than usual, or due to any other networking reasons. - -Besides defining rules with one of the above scopes, you must also select the [prefixes](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) that you wish to protect with Advanced TCP Protection. - -## Mode - -The Advanced TCP Protection system constantly learns your TCP connections to mitigate DDoS attacks. Advanced TCP Protection rules can have one of the following execution modes: monitoring, mitigation (enabled), or disabled. - -- **Monitoring** - - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. - -- **​​Mitigation (Enabled)** - - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist). - - -- **Disabled** - - In this mode, a rule will not evaluate any incoming packets. - -## Burst sensitivity - -The burst sensitivity is the rule's sensitivity to short-term bursts in the packet rate: - -- A low sensitivity means that bigger spikes in the packet rate may trigger a mitigation action. -- A high sensitivity means that smaller spikes in the packet rate may trigger a mitigation action. - -The default burst sensitivity is _Medium_. - -## Rate sensitivity - -The rate sensitivity is the rule's sensitivity to the sustained packet rate: - -- A low sensitivity means that higher sustained packet rates can trigger a mitigation action. -- A high sensitivity means that lower sustained packet rates may trigger a mitigation action. A high sensitivity offers increased protection, but you may get more false positives (that is, mitigated packets that belong to legitimate traffic). - -The default rate sensitivity is _Medium_. - -## Profile sensitivity - -:::note -Profile sensitivity is available for [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) only. -::: - -The sensitivity to DNS queries that have not been recently seen. - -- A higher sensitivity level means that the mitigation system will begin mitigating faster. -- A lower sensitivity provides more tolerance for potentially suspicious DNS queries. - -The default rate sensitivity is _Medium_. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx deleted file mode 100644 index 0dd1c88a55d701b..000000000000000 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/setup.mdx +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Advanced DDoS Protection setup -pcx_content_type: how-to -sidebar: - order: 2 - label: Setup - ---- - -import { GlossaryTooltip, Render } from "~/components" - -Follow the steps described in the below to get started with Advanced DDoS Protection systems. - -## 1. Request initial configuration - -When you get access to Advanced DDoS Protection systems, there are no configured thresholds in your account. - -Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) will be for your specific case. - -Ask your Implementation Manager to configure initial threshold values. - -Once thresholds are configured, the Implementation Manager will let you know that Advanced DDoS Protection systems have been initialized and can be configured and enabled. - -## 2. Add prefixes - -[Add the prefixes](/ddos-protection/advanced-ddos-systems/how-to/add-prefix/) you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously [onboarded to Magic Transit](/magic-transit/how-to/advertise-prefixes/) or a subset of these prefixes. - -You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals. - -## 3. Create a global configuration - -[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/) for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets. - -Optionally, you can create [filters](/ddos-protection/advanced-ddos-systems/concepts/#filter) for each protection system component (SYN flood protection and out-of-state TCP protection). - -## 4. (Optional) Add IP addresses or prefixes to the allowlist - -[Add prefixes to the allowlist](/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/) if their traffic should bypass Advanced DDoS Protection rules. - -The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. To exclude a subset of an onboarded prefix from Advanced TCP Protection, refer to [Exclude a prefix or a prefix subset](/ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/). - -## 5. Enable Advanced DDoS Protection - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. -3. Under **General settings**, toggle the feature status **On**. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/index.mdx b/src/content/docs/ddos-protection/index.mdx index c0352c47a03462e..d1ddf3ef302e062 100644 --- a/src/content/docs/ddos-protection/index.mdx +++ b/src/content/docs/ddos-protection/index.mdx @@ -38,7 +38,7 @@ Get increased protection against sophisticated DDoS attacks on layer 7 and layer Detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods, or SYN and SYN-ACK floods. - + Protect against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks. From 5632d8326a4da884558a21265e194ae6e2ba9f6f Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Fri, 25 Oct 2024 15:03:42 -0700 Subject: [PATCH 9/9] broken links and edits --- .../api/dns-protection/index.mdx | 2 +- .../api/dns-protection/json-objects.mdx | 2 +- .../advanced-ddos-systems/api/index.mdx | 2 +- .../api/tcp-protection/examples.mdx | 2 +- .../api/tcp-protection/index.mdx | 4 ++-- .../api/tcp-protection/json-objects.mdx | 2 +- .../advanced-ddos-systems/concepts.mdx | 6 +++--- .../how-to/add-prefix-allowlist.mdx | 2 +- .../advanced-ddos-systems/how-to/add-prefix.mdx | 2 +- .../advanced-ddos-systems/how-to/create-filter.mdx | 2 +- .../advanced-ddos-systems/how-to/create-rule.mdx | 12 ++++++------ .../advanced-ddos-systems/how-to/index.mdx | 4 ++-- .../overview/advanced-dns-protection.mdx | 4 ++-- .../overview/advanced-tcp-protection.mdx | 2 +- .../advanced-ddos-systems/overview/index.mdx | 4 ++-- .../ddos-protection/atp-filter-definition.mdx | 2 +- 16 files changed, 27 insertions(+), 27 deletions(-) diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx index 7e8361776d2721a..cda587b4ca0328c 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Advanced DNS Protection sidebar: - order: 5 + order: 4 label: Configure via the API head: - tag: title diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx index 2cc460e9b447dc9..cf71ecbb747b809 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects.mdx @@ -35,4 +35,4 @@ The `profile_sensitivity` field value must be one of `low` (default), `medium`, The `rate_sensitivity` and `burst_sensitivity` field values must be one of `low`, `medium`, or `high`. -For more information on the rule settings, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/rule-settings/). \ No newline at end of file +For more information on the rule settings, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings). \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx index 805248d20a3519a..cb1ae99f7b9420d 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/index.mdx @@ -2,7 +2,7 @@ title: API configuration pcx_content_type: overview sidebar: - order: 5 + order: 4 group: hideIndex: true head: diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx index 0573733109c1557..5bf49a76f54a194 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/examples.mdx @@ -306,4 +306,4 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_t } ``` -Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. +Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/) for more information on the fields in the JSON body. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx index d499416c60c5f19..6c8645c201cdc0c 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Advanced TCP Protection sidebar: - order: 5 + order: 4 label: Configure via the API head: - tag: title @@ -109,4 +109,4 @@ The tables in the following sections summarize the available operations. ## Pagination -The API operations that return a list of items use pagination. For more information on the available pagination query parameters, refer to [Pagination](/fundamentals/api/how-to/make-api-calls/#pagination). +The API operations that return a list of items use pagination. For more information on the available pagination query parameters, refer to [Pagination](/fundamentals/api/how-to/make-api-calls/#pagination). \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx index 784c7fcfaa7fe30..ed617590ffb775a 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects.mdx @@ -81,4 +81,4 @@ The `expression` field is a [Rules language expression](/ruleset-engine/rules-la Expressions of SYN flood protection and out-of-state TCP protection filters do not currently support functions. ::: -The `mode` value must be one of `enabled`, `disabled`, or `monitoring`. +The `mode` value must be one of `enabled`, `disabled`, or `monitoring`. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx index 003e38c1ac6e339..e0e30442b6e7f7a 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx @@ -2,7 +2,7 @@ title: Concepts pcx_content_type: concept sidebar: - order: 3 + order: 2 head: - tag: title content: Create an Advanced TCP Protection filter @@ -32,7 +32,7 @@ For example, you could add prefixes used only by partners of your company to the ## Rule -A rule configures Advanced DDoS Protection for a given [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope), according to several [settings](/ddos-protection/advanced-ddos-systems/rule-settings/): execution mode, burst sensitivity, and rate sensitivity. +A rule configures Advanced DDoS Protection for a given [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope), according to several [settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings): execution mode, burst sensitivity, and rate sensitivity. Each system component (SYN flood protection and out-of-state TCP protection) has its own list of rules, and it should have at least one rule. @@ -156,4 +156,4 @@ The mitigation reasons are the following: | **Out of sequence** | Packet dropped because its properties (for example, TCP flags or sequence numbers) do not match the expected values for the existing connection. | | **Already closed** | Packet dropped because it belongs to a connection that is already closed. | -Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing. +Mitigation will only occur based on your Advanced TCP Protection configuration (rule sensitivities, configured allowlists and prefixes). The protection system will provide some tolerance to out-of-state packets to accommodate for the natural randomness of Internet routing. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx index 84770a6e0422b0e..aa3bd694a38a52e 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist.mdx @@ -20,4 +20,4 @@ To add an IP address or prefix to the Advanced DDoS Protection [allowlist](/ddos 5. To exclude the current prefix from the allowlist instead of including it, uncheck the **Enabled** checkbox. 6. Select **Add**. - + \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx index 4e5eaefd3ad3325..346a31e4ff7a681 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/add-prefix.mdx @@ -20,4 +20,4 @@ To add a [prefix](/ddos-protection/advanced-ddos-systems/concepts/#prefixes) to :::note[Note] The **Add existing prefix** list will not display leased prefixes, but you can add them manually in the Cloudflare dashboard or [using the API](/ddos-protection/advanced-ddos-systems/api/). You cannot add [delegated prefixes](/byoip/concepts/prefix-delegations/) to Advanced TCP Protection. -::: +::: \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx index 3864f78704a6764..4ddb495acb35fd9 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-filter.mdx @@ -32,4 +32,4 @@ To create a [filter](/ddos-protection/advanced-ddos-systems/concepts/#filter) fo 4. Under **When incoming packets match**, define a filter expression using the Expression Builder (specifying one or more values for **Field**, **Operator**, and **Value**), or manually enter an expression using the Expression Editor. For more information, refer to [Edit rule expressions](/ruleset-engine/rules-language/expressions/edit-expressions/). 5. Select **Save**. - + \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx index fb663683fc3182e..28250ee360ef5b2 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/create-rule.mdx @@ -22,9 +22,9 @@ To create a [SYN flood rule](/ddos-protection/advanced-ddos-systems/overview/adv - Under **SYN Flood Protection**, select **Create SYN flood rule**. - Under **Out-of-state TCP Protection**, select **Create out-of-state TCP rule**. -4. In **Mode**, select a [mode](/ddos-protection/advanced-ddos-systems/rule-settings/#mode) for the rule. -5. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope) for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center. -6. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity) and [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity) of the rule (by default, _Medium_). The sensitivity levels are based on the initially configured thresholds for your specific case. +4. In **Mode**, select a [mode](/ddos-protection/advanced-ddos-systems/concepts/#mode) for the rule. +5. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope) for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center. +6. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) and [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity) of the rule (by default, _Medium_). The sensitivity levels are based on the initially configured thresholds for your specific case. 7. Select **Deploy**. @@ -42,6 +42,6 @@ To create a [SYN flood rule](/ddos-protection/advanced-ddos-systems/overview/adv 5. Go to **Advanced DNS Protection**. 6. Select **Create Advanced DNS Protection rule**. 7. In **Mode**, select a mode for the rule. -8. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/rule-settings/#scope) to determine the range of packets that will be affected by the rule. -9. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#burst-sensitivity), [rate sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#rate-sensitivity), and [profile sensitivity](/ddos-protection/advanced-ddos-systems/rule-settings/#profile-sensitivity) to determine when to initiate mitigation. -10. Select **Deploy**. +8. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope) to determine the range of packets that will be affected by the rule. +9. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity), [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity), and [profile sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#profile-sensitivity) to determine when to initiate mitigation. +10. Select **Deploy**. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx index 4cb011a3624ec99..6b52c8214c29bce 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/how-to/index.mdx @@ -2,7 +2,7 @@ title: How to pcx_content_type: navigation sidebar: - order: 4 + order: 3 group: hideIndex: true head: @@ -14,4 +14,4 @@ description: How-to guides for configuring Advanced TCP Protection. import { DirectoryListing } from "~/components" - + \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx index 2e69fb4c55092cb..7eca38bba9ebaa1 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx @@ -2,7 +2,7 @@ title: Advanced DNS Protection pcx_content_type: concept sidebar: - order: 4 + order: 3 head: - tag: title content: Cloudflare Advanced DNS Protection @@ -55,4 +55,4 @@ If you cannot find any data related to Advanced DNS Protection in the **DNS Prot Advanced DNS Protection can protect you against volumetric DNS DDoS attacks. To perform DNS caching, proxying, and configuration, use the [Cloudflare DNS Firewall](/dns/dns-firewall/). -Currently, Advanced DNS Protection is not available for DNS Firewall. +Currently, Advanced DNS Protection is not available for DNS Firewall. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx index 6dc8d35f6f01979..e1658f36bc8cd3e 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx @@ -47,4 +47,4 @@ For more information on the configuration settings of out-of-state TCP rules, re ## Setup -[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection. +[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection. \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx index 3da1252e96d3a31..ad30f7a3f41447f 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/index.mdx @@ -12,7 +12,7 @@ head: import { GlossaryTooltip, Render } from "~/components" -The Advanced DDoS Protection system includes [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/). Both systems are configured using the general settings, but also comprise of their own dedicated settings. +The Advanced DDoS Protection system includes [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/). Both systems are configured using the general settings, but also comprise of their own dedicated settings. Advanced DDoS Protection systems is available to [Magic Transit](/magic-transit/) customers. @@ -64,4 +64,4 @@ Enable the Advanced DDoS system and begin routing traffic through it. 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. 2. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**. -3. Under **General settings**, toggle the feature status **On**. +3. Under **General settings**, toggle the feature status **On**. \ No newline at end of file diff --git a/src/content/partials/ddos-protection/atp-filter-definition.mdx b/src/content/partials/ddos-protection/atp-filter-definition.mdx index 68623b6f614c8e0..12d6e288ceadf95 100644 --- a/src/content/partials/ddos-protection/atp-filter-definition.mdx +++ b/src/content/partials/ddos-protection/atp-filter-definition.mdx @@ -3,4 +3,4 @@ --- -A filter modifies Advanced TCP Protection's [execution mode](/ddos-protection/advanced-ddos-systems/rule-settings/#mode) — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. +A filter modifies Advanced TCP Protection's [execution mode](/ddos-protection/advanced-ddos-systems/concepts/#mode) — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. \ No newline at end of file