cloudflare · patriciasantaana · Nov 4, 2024 · Sep 30, 2024 · Oct 1, 2024 · Oct 1, 2024
@@ -303,17 +303,24 @@
 # ddos-protection
 /ddos-protection/change-log/http/2022-09-19-emergency-emergency/ /ddos-protection/change-log/http/2022-09-19-emergency/
 /ddos-protection/change-log/http/2022-12-07-emergency-emergency/ /ddos-protection/change-log/http/2022-12-07-emergency/
-/ddos-protection/managed-rulesets/tcp-protection/ /ddos-protection/tcp-protection/ 301
 /ddos-protection/managed-rulesets/http/location-aware-protection/ /ddos-protection/managed-rulesets/adaptive-protection/ 301
 /ddos-protection/managed-rulesets/network/fields/ /ddos-protection/managed-rulesets/network/override-expressions/ 301
 /support/about-cloudflare/attack-preparation-and-response/responding-to-ddos-attacks/ /ddos-protection/best-practices/respond-to-ddos-attacks/ 301
 /support/about-cloudflare/attack-preparation-and-response/understanding-cloudflare-ddos-protection/ /ddos-protection/about/ 301
 /ddos-protection/change-log/global-changes/ /ddos-protection/change-log/general-updates/ 301
-# Redirect the following pages temporarily (using HTTP 307 Temporary redirect)
-/ddos-protection/dns-protection/rule-settings/ /ddos-protection/dns-protection/ 307
-/ddos-protection/dns-protection/api/ /ddos-protection/dns-protection/ 307
-/ddos-protection/dns-protection/api/examples/ /ddos-protection/dns-protection/ 307
-/ddos-protection/dns-protection/api/json-objects/ /ddos-protection/dns-protection/ 307
+/ddos-protection/tcp-protection/api/examples/ /ddos-protection/advanced-ddos-systems/api/tcp-protection/examples/ 301
+/ddos-protection/tcp-protection/api/json-objects/ /ddos-protection/advanced-ddos-systems/api/tcp-protection/json-objects/ 301
+/ddos-protection/tcp-protection/concepts/ /ddos-protection/advanced-ddos-systems/concepts/ 301
+/ddos-protection/tcp-protection/how-to/add-prefix-allowlist/ /ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/ 301
+/ddos-protection/tcp-protection/how-to/add-prefix/ /ddos-protection/advanced-ddos-systems/how-to/add-prefix/ 301
+/ddos-protection/tcp-protection/how-to/create-filter/ /ddos-protection/advanced-ddos-systems/how-to/create-filter/ 301
+/ddos-protection/tcp-protection/how-to/exclude-prefix/ /ddos-protection/advanced-ddos-systems/how-to/exclude-prefix/ 301
+/ddos-protection/tcp-protection/how-to/ /ddos-protection/advanced-ddos-systems/how-to/ 301
+/ddos-protection/tcp-protection/ /ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/ 301
+/ddos-protection/tcp-protection/mitigation-reasons/ /ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/mitigation-reasons/ 301
+/ddos-protection/tcp-protection/rule-settings/ /ddos-protection/advanced-ddos-systems/rule-settings/ 301
+/ddos-protection/dns-protection/ /ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/ 301
+/ddos-protection/tcp-protection/api/ /ddos-protection/advanced-ddos-systems/api/ 301
 
 # dmarc-management
 /dmarc-management/manage-sources/ /dmarc-management/ 301

@@ -113,6 +113,6 @@ The following example queries the top 20 logs of traffic dropped by mitigation s
 The `mitigationSystem` field can take one the following values:
 
 * `dosd` for [DDoS managed rulesets](/ddos-protection/managed-rulesets/) (Network-layer DDoS Attack Protection or HTTP DDoS Attack Protection).
-* `flowtrackd` for [Advanced TCP Protection](/ddos-protection/tcp-protection/).
+* `flowtrackd` for [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/).
 * `magic-firewall` for [Magic Firewall](/magic-firewall/).
 * Empty string for unmitigated traffic.
@@ -25,8 +25,8 @@ The following table contains a summary of what is shown in each tab:
 | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
 | **All traffic**             | Traffic dropped by DDoS managed rules, Advanced TCP Protection, Advanced DNS Protection, and Magic Firewall, and traffic passed to the origin server.                                                       | Traffic dropped and passed by DDoS managed rules.                                       |
 | **DDoS managed <br/>rules** | Traffic dropped and passed by [DDoS managed rules](/ddos-protection/managed-rulesets/).                                                                                                                     | Traffic dropped and passed by [DDoS managed rules](/ddos-protection/managed-rulesets/). |
-| **TCP <br/>Protection**     | Traffic dropped and passed by the [Advanced TCP Protection](/ddos-protection/tcp-protection/) system. Does not include traffic dropped by DDoS managed rules.                                               | N/A                                                                                     |
-| **DNS <br/>Protection**     | Traffic dropped and passed by the [Advanced DNS Protection](/ddos-protection/dns-protection/) system. Does not include traffic dropped by DDoS managed rules.                                               | N/A                                                                                     |
+| **TCP <br/>Protection**     | Traffic dropped and passed by the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. Does not include traffic dropped by DDoS managed rules.                                               | N/A                                                                                     |
+| **DNS <br/>Protection**     | Traffic dropped and passed by the [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) system. Does not include traffic dropped by DDoS managed rules.                                               | N/A                                                                                     |
 | **Magic Firewall**          | Traffic dropped by [Magic Firewall](/magic-firewall/) and traffic passed to the origin server. Does not include traffic dropped by DDoS managed rules, Advanced TCP Protection, or Advanced DNS Protection. | N/A                                                                                     |
 
 

@@ -14,7 +14,7 @@ import { GlossaryTooltip, InlineBadge, Render } from "~/components"
 
 The [DDoS Attack Protection managed rulesets](/ddos-protection/managed-rulesets/) provide protection against a variety of <GlossaryTooltip term="distributed denial-of-service (DDoS) attack">DDoS attacks</GlossaryTooltip> across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these managed rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.
 
-[Advanced TCP Protection](/ddos-protection/tcp-protection/) and [Advanced DNS Protection](/ddos-protection/dns-protection/), available to [Magic Transit](/magic-transit/) customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively.
+[Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/), available to [Magic Transit](/magic-transit/) customers, provide additional protection against sophisticated TCP-based DDoS attacks and sophisticated and fully randomized DNS attacks, respectively.
 
 As a general guideline, various Cloudflare products operate on different open systems interconnection (OSI) layers and you are protected up to the layer on which your service operates. You can customize the DDoS settings on the layer in which you onboarded. For example, since the CDN/WAF service is a Layer 7 (HTTP/HTTPS) service, Cloudflare provides protection from DDoS attacks on L7 downwards, including L3/4 attacks.
 
@@ -31,7 +31,7 @@ The following table includes a sample of covered attack vectors:
 
 The Network-layer DDoS Attack Protection managed ruleset provides protection against some types of DNS attacks.
 
-Magic Transit customers have access to [Advanced DNS Protection](/ddos-protection/dns-protection/) <InlineBadge preset="beta" />. Other customers might consider the following options:
+Magic Transit customers have access to [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) <InlineBadge preset="beta" />. Other customers might consider the following options:
 
 - Use Cloudflare as your authoritative DNS provider ([primary DNS](/dns/zone-setups/full-setup/) or [secondary DNS](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/)).
 - If you are running your own <GlossaryTooltip term="nameserver">nameservers</GlossaryTooltip>, use [DNS Firewall](/dns/dns-firewall/) to get additional protection against DNS attacks like random prefix attacks.
@@ -14,7 +14,7 @@ import { GlossaryTooltip } from "~/components"
 
 The Cloudflare Autonomous Edge is powered by the denial-of-service <GlossaryTooltip term="daemon" prepend="A daemon is ">daemon</GlossaryTooltip> (`dosd`), which is a home-grown software-defined system. A `dosd` instance runs in every single server in every one of [Cloudflare global network's data centers](https://www.cloudflare.com/network/) around the world. These `dosd` instances can detect and mitigate DDoS attacks autonomously without requiring centralized consensus. Cloudflare users can configure this system through [DDoS Attack Protection managed rulesets](/ddos-protection/managed-rulesets/).
 
-Another component of Cloudflare’s Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection.
+Another component of Cloudflare’s Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection.
 
 For more information, refer to our blog post [A deep-dive into Cloudflare’s autonomous edge DDoS protection](https://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/).
 

@@ -0,0 +1,117 @@
+---
+title: Common API calls
+pcx_content_type: configuration
+sidebar:
+  order: 2
+
+---
+
+The following sections contain example requests for common API calls. For a list of available API endpoints, refer to [Endpoints](/ddos-protection/advanced-ddos-systems/api/dns-protection/#endpoints).
+
+## Get all DNS protection rules
+
+The following example retrieves the currently configured rules for Advanced DNS Protection.
+
+```bash
+curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules" \
+--header "Authorization: Bearer <API_TOKEN>"
+```
+
+```json title="Example response"
+---
+{
+  "result": [
+    {
+      "id": "<RULE_ID>",
+      "scope": "<SCOPE>",
+      "name": "<NAME>",
+      "mode": "<MODE>",
+      "profile_sensitivity": "<SENSITIVITY>",
+      "rate_sensitivity": "<RATE>",
+      "burst_sensitivity": "<BURST>",
+      "created_on": "2023-10-01T13:10:38.762503+01:00",
+      "modified_on": "2023-10-01T13:10:38.762503+01:00",
+      }
+    ],
+  "success": true,
+  "errors": [],
+  "messages": []
+}
+```
+
+### Create DNS protection rule
+
+The following example creates an Advanced DNS Protection rule with a global scope.
+
+```bash
+curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "scope": "global",
+  "name": "global",
+  "mode": "<MODE>",
+  "rate_sensitivity": "<RATE>",
+  "burst_sensitivity": "<BURST>",
+  "profile_sensitivity": "<SENSITIVITY>"
+}'
+```
+
+```json title="Example response"
+{
+  "result": {
+    "id": "<RULE_ID>",
+    "scope": "global",
+    "name": "global",
+    "mode": "<MODE>",
+    "rate_sensitivity": "<RATE>",
+    "burst_sensitivity": "<BURST>",
+    "profile_sensitivity": "<SENSITIVITY>",
+    "created_on": "2023-10-01T13:10:38.762503+01:00",
+    "modified_on": "2023-10-01T13:10:38.762503+01:00",
+  },
+  "success": true,
+  "errors": [],
+  "messages": []
+}
+```
+
+Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects/) for more information on the fields in the JSON body.
+
+### Update DNS protection rule
+
+The following example updates an existing DNS protection rule with ID `{rule_id}`.
+
+The request body can contain only the fields you want to update (from `mode`, `profile_sensitivity`, `rate_sensitivity`, and `burst_sensitivity`).
+
+```bash
+curl --request PATCH \
+"https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "mode": "<NEW_MODE>",
+  "profile_sensitivity": "<NEW_SENSITIVITY>",
+  "rate_sensitivity": "<NEW_RATE>",
+  "burst_sensitivity": "<NEW_BURST>"
+}'
+```
+
+```json title="Example response"
+{
+  "result": {
+    "id": "<RULE_ID>",
+    "scope": "<SCOPE>",
+    "name": "<NAME>",
+    "mode": "<NEW_MODE>",
+    "profile_sensitivity": "<NEW_SENSITIVITY>",
+    "rate_sensitivity": "<NEW_RATE>",
+    "burst_sensitivity": "<NEW_BURST>",
+    "created_on": "2023-10-01T13:10:38.762503+01:00",
+    "modified_on": "2023-10-01T13:10:38.762503+01:00",
+  },
+  "success": true,
+  "errors": [],
+  "messages": []
+}
+```
+
+Refer to [JSON objects](/ddos-protection/advanced-ddos-systems/api/dns-protection/json-objects/) for more information on the fields in the JSON body.
@@ -0,0 +1,36 @@
+---
+pcx_content_type: how-to
+title: Advanced DNS Protection
+sidebar:
+  order: 4
+  label: Configure via the API
+head:
+  - tag: title
+    content: Configure Advanced DNS Protection via API
+
+---
+
+Use the [Cloudflare API](/api/) to configure Advanced DNS Protection via API.
+
+For examples of API calls, refer to [Common API calls](/ddos-protection/advanced-ddos-systems/api/dns-protection/examples/).
+
+## Endpoints
+
+To obtain the complete endpoint, append the Advanced DNS Protection API endpoints listed below to the Cloudflare API base URL:
+
+```txt
+https://api.cloudflare.com/client/v4
+```
+
+The `{account_id}` argument is the [account ID](/fundamentals/setup/find-account-and-zone-ids/) (a hexadecimal string). You can find this value in the Cloudflare dashboard.
+
+The following table summarizes the available operations.
+
+| Operation | Verb + Endpoint |
+| --- | --- |
+| List DNS protection rules | <p>`GET accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`</p>Fetches all DNS protection rules in the account. |
+| Add a DNS protection rule | <p>`POST accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`</p>Adds a DNS protection rule to the account. |
+| Get a DNS protection rule | <p>`GET accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`</p>Fetches the details of an existing DNS protection rule in the account. |
+| Update a DNS protection rule | <p>`PATCH accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`</p>Updates an existing DNS protection rule in the account. |
+| Delete a DNS protection rule | <p>`DELETE accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules/{rule_id}`</p>Deletes an existing DNS protection rule from the account. |
+| Delete all DNS protection rules | <p>`DELETE accounts/{account_id}/magic/advanced_dns_protection/configs/dns_protection/rules`</p>Deletes all existing DNS protection rules from the account. |
@@ -0,0 +1,38 @@
+---
+title: JSON objects
+pcx_content_type: reference
+sidebar:
+  order: 3
+head:
+  - tag: title
+    content: Advanced TCP Protection API - JSON objects
+
+---
+
+# JSON object
+
+This page contains an example of the DNS protection rule JSON object used in the API.
+
+```json
+{
+  "id": "31c70c65-9f81-4669-94ed-1e1e041e7b06",
+  "scope": "region",
+  "name": "WEUR",
+  "mode": "monitoring",
+  "profile_sensitivity": "medium",
+  "rate_sensitivity": "medium",
+  "burst_sensitivity": "medium",
+  "created_on": "2023-10-01T13:10:38.762503+01:00",
+  "modified_on": "2023-10-01T13:10:38.762503+01:00"
+}
+```
+
+The `scope` field value must be one of `global`, `region`, or `datacenter`. You must provide a region code (or data center code) in the `name` field when specifying a `region` (or `datacenter`) scope.
+
+The `mode` value must be one of `enabled`, `disabled`, or `monitoring`.
+
+The `profile_sensitivity` field value must be one of `low` (default), `medium`, `high`, or `very_high`.
+
+The `rate_sensitivity` and `burst_sensitivity` field values must be one of `low`, `medium`, or `high`.
+
+For more information on the rule settings, refer to [Rule settings](/ddos-protection/advanced-ddos-systems/concepts/#rule-settings).
@@ -0,0 +1,18 @@
+---
+title: API configuration
+pcx_content_type: overview
+sidebar:
+  order: 4
+  group:
+    hideIndex: true
+head:
+  - tag: title
+    content: Configure Advanced TCP Protection and Advanced DNS Protection via the API
+
+---
+
+import { DirectoryListing } from "~/components"
+
+Refer to the following pages to configure Advanced TCP Protection and Advanced DNS Protection via the API.
+
+<DirectoryListing />