From 42d2b8ce850e7ad674389f206bc3cfe4c9f0138e Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 29 Oct 2024 14:35:55 -0700 Subject: [PATCH 1/6] botnet threat feed offense --- src/content/docs/ddos-protection/botnet-threat-feed.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/content/docs/ddos-protection/botnet-threat-feed.mdx b/src/content/docs/ddos-protection/botnet-threat-feed.mdx index 61025988367e95b..04d8be39f5b6592 100644 --- a/src/content/docs/ddos-protection/botnet-threat-feed.mdx +++ b/src/content/docs/ddos-protection/botnet-threat-feed.mdx @@ -9,11 +9,13 @@ head: --- -The Cloudflare DDoS Botnet Threat Feed is a threat intelligence feed for service providers (SPs) such as hosting providers and Internet service providers (ISPs) that provides information about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. The feed aims to help service providers stop the abuse and reduce DDoS attacks originating from within their networks. +The Cloudflare DDoS Botnet Threat Feed is a threat intelligence feed for service providers (SPs) such as hosting providers and Internet service providers (ISPs) that provides information about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. The feed aims to help service providers stop the abuse and reduce DDoS attacks originating from within their networks. -Each service provider can only get information about IP addresses associated with their autonomous system numbers (ASNs). The affiliation of a service provider with their ASNs will be checked against [PeeringDB](https://www.peeringdb.com/), a reliable and globally recognized interconnection database. +Each offense is a mitigated HTTP request from the specific IP address. For example, if an IP has 3,000 offenses, it means that Cloudflare has mitigated 3,000 HTTP requests from that IP. -To ensure the feed’s accuracy, Cloudflare will only include in the feed IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. +A service provider can only get information about IP addresses associated with their autonomous system numbers (ASNs). The affiliation of a service provider with their ASNs will be checked against [PeeringDB](https://www.peeringdb.com/), a reliable and globally recognized interconnection database. + +To ensure the feed’s accuracy, Cloudflare will only include in the feed IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. ## Context From 746915a1e071afa421ecc8b2811cf10729814967 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 29 Oct 2024 14:55:28 -0700 Subject: [PATCH 2/6] recommendations for ddos tests --- .../docs/ddos-protection/reference/simulate-ddos-attack.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/ddos-protection/reference/simulate-ddos-attack.mdx b/src/content/docs/ddos-protection/reference/simulate-ddos-attack.mdx index 0e42fb75981c0c9..1094cd3763c986c 100644 --- a/src/content/docs/ddos-protection/reference/simulate-ddos-attack.mdx +++ b/src/content/docs/ddos-protection/reference/simulate-ddos-attack.mdx @@ -19,4 +19,6 @@ You can only launch DDoS attacks against your own Internet properties — your z You do not have to obtain permission from Cloudflare to launch a DDoS attack simulation against your own Internet properties. However, before launching the simulated attack, you must [open a Support ticket](/support/contacting-cloudflare-support/) and provide the information below. All fields are mandatory. +It is recommended that you choose the right service and enable the correct features to test against the corresponding DDoS attacks. For example, if you want to test Cloudflare against an HTTP DDoS attack and you are only using Magic Transit, the test is going to fail because you need to onboard your HTTP application to Cloudflare's reverse proxy service to test our HTTP DDoS Protection. + From 436c68c31c55d3c314f419eca22f803894044077 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 29 Oct 2024 14:56:27 -0700 Subject: [PATCH 3/6] edit --- src/content/docs/ddos-protection/botnet-threat-feed.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ddos-protection/botnet-threat-feed.mdx b/src/content/docs/ddos-protection/botnet-threat-feed.mdx index 04d8be39f5b6592..f3bb57e400a2b85 100644 --- a/src/content/docs/ddos-protection/botnet-threat-feed.mdx +++ b/src/content/docs/ddos-protection/botnet-threat-feed.mdx @@ -15,7 +15,7 @@ Each offense is a mitigated HTTP request from the specific IP address. For examp A service provider can only get information about IP addresses associated with their autonomous system numbers (ASNs). The affiliation of a service provider with their ASNs will be checked against [PeeringDB](https://www.peeringdb.com/), a reliable and globally recognized interconnection database. -To ensure the feed’s accuracy, Cloudflare will only include in the feed IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. +To ensure the feed's accuracy, Cloudflare will only include in the feed IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. ## Context From 06c34afc73a5243187d1742f52ae75c4e1d6e165 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Tue, 29 Oct 2024 15:03:32 -0700 Subject: [PATCH 4/6] remove ddos billing note --- .../docs/ddos-protection/about/how-ddos-protection-works.mdx | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx b/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx index 6539031476709f3..90c9fab673a2fcd 100644 --- a/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx +++ b/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx @@ -33,11 +33,6 @@ Once attack traffic matches a rule, Cloudflare's systems will track that traffic | Log | Records matching requests in the Cloudflare Logs. | | Use rule defaults | Uses the default action that is pre-defined for each rule. | -:::note - -DDoS attack traffic is automatically excluded from billing systems. -::: - ## Time to mitigate - Immediate mitigation for Advanced TCP and DNS Protection systems. From b8ca21682b78e3bb09c6a9609a74d664d8d46334 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Wed, 30 Oct 2024 09:42:27 -0700 Subject: [PATCH 5/6] space --- src/content/docs/ddos-protection/botnet-threat-feed.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ddos-protection/botnet-threat-feed.mdx b/src/content/docs/ddos-protection/botnet-threat-feed.mdx index f3bb57e400a2b85..67a0b3ded2d9bde 100644 --- a/src/content/docs/ddos-protection/botnet-threat-feed.mdx +++ b/src/content/docs/ddos-protection/botnet-threat-feed.mdx @@ -9,7 +9,7 @@ head: --- -The Cloudflare DDoS Botnet Threat Feed is a threat intelligence feed for service providers (SPs) such as hosting providers and Internet service providers (ISPs) that provides information about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. The feed aims to help service providers stop the abuse and reduce DDoS attacks originating from within their networks. +The Cloudflare DDoS Botnet Threat Feed is a threat intelligence feed for service providers (SPs) such as hosting providers and Internet service providers (ISPs) that provides information about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. The feed aims to help service providers stop the abuse and reduce DDoS attacks originating from within their networks. Each offense is a mitigated HTTP request from the specific IP address. For example, if an IP has 3,000 offenses, it means that Cloudflare has mitigated 3,000 HTTP requests from that IP. From a11228a43f30d26cc05bc45433dd495fda541781 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Wed, 30 Oct 2024 10:02:59 -0700 Subject: [PATCH 6/6] Update src/content/docs/ddos-protection/botnet-threat-feed.mdx Co-authored-by: Jun Lee --- src/content/docs/ddos-protection/botnet-threat-feed.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ddos-protection/botnet-threat-feed.mdx b/src/content/docs/ddos-protection/botnet-threat-feed.mdx index 67a0b3ded2d9bde..85c9a3f8acd0289 100644 --- a/src/content/docs/ddos-protection/botnet-threat-feed.mdx +++ b/src/content/docs/ddos-protection/botnet-threat-feed.mdx @@ -15,7 +15,7 @@ Each offense is a mitigated HTTP request from the specific IP address. For examp A service provider can only get information about IP addresses associated with their autonomous system numbers (ASNs). The affiliation of a service provider with their ASNs will be checked against [PeeringDB](https://www.peeringdb.com/), a reliable and globally recognized interconnection database. -To ensure the feed's accuracy, Cloudflare will only include in the feed IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. +To ensure the feed's accuracy, Cloudflare will only include IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. ## Context