From 1975cdeb373051daf050626e87e4222eed060eff Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Fri, 22 Nov 2024 12:28:40 -0800 Subject: [PATCH 1/2] [DDoS Protection] MT Advanced DDoS Systems onboarding --- .../overview/advanced-dns-protection.mdx | 4 ++++ .../overview/advanced-tcp-protection.mdx | 4 ++++ .../mt-advanced-ddos-systems-onboarding.mdx | 12 ++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx index 7eca38bba9ebaa1..16cf821132ff203 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx @@ -9,8 +9,12 @@ head: --- +import { Render } from "~/components" + Cloudflare's Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/). + + ## How it works Cloudflare's Advanced DNS Protection works by first learning your traffic patterns and forming a baseline of the type of DNS queries you normally receive. Later, the system will be able to distinguish between legitimate and malicious queries, protecting your DNS infrastructure without impacting legitimate traffic. diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx index e1658f36bc8cd3e..ada3e3edfc38e1f 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx @@ -9,8 +9,12 @@ head: --- +import { Render } from "~/components" + Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. + + ## How it works Advanced TCP Protection can simultaneously protect against different kinds of attacks: diff --git a/src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx b/src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx new file mode 100644 index 000000000000000..d914a766c045130 --- /dev/null +++ b/src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx @@ -0,0 +1,12 @@ +--- +{} + +--- + +[Magic Transit](/magic-transit/) customers are automatically onboarded to the Advanced TCP Protection and Advanced DNS Protection systems. + +Every 10 minutes, the `flowtrackd` API will look for new accounts in the conduit API. For each new account that it finds, it will add the account and its `authorized_prefixes` to the `flowtrackd` API, add default manual thresholds and rules for the TCP policer, TCP tracker, and DNS tracker—all in `monitoring` mode, and set the protection status to `Enabled` which allows `flowtrackd` to start processing your traffic. + +:::note +If the `flowtrackd` API cannot find any `authorized_prefixes` for an account in the conduit API, it will wait to onboard you until the prefixes are present (up to seven days). +::: \ No newline at end of file From c67eb364e10159a8168ddcf4313105ca8b2a1f35 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Wed, 4 Dec 2024 10:02:15 -0800 Subject: [PATCH 2/2] update wording --- .../mt-advanced-ddos-systems-onboarding.mdx | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx b/src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx index d914a766c045130..1393b132f8df703 100644 --- a/src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx +++ b/src/content/partials/ddos-protection/mt-advanced-ddos-systems-onboarding.mdx @@ -1,12 +1,9 @@ --- {} - --- -[Magic Transit](/magic-transit/) customers are automatically onboarded to the Advanced TCP Protection and Advanced DNS Protection systems. - -Every 10 minutes, the `flowtrackd` API will look for new accounts in the conduit API. For each new account that it finds, it will add the account and its `authorized_prefixes` to the `flowtrackd` API, add default manual thresholds and rules for the TCP policer, TCP tracker, and DNS tracker—all in `monitoring` mode, and set the protection status to `Enabled` which allows `flowtrackd` to start processing your traffic. - :::note -If the `flowtrackd` API cannot find any `authorized_prefixes` for an account in the conduit API, it will wait to onboard you until the prefixes are present (up to seven days). +Advanced TCP and DNS Protection systems are automatically enabled in `Monitor` mode with the default thresholds for new Magic Transit customers and their [authorized prefixes](/magic-transit/how-to/advertise-prefixes/). + +Magic Transit customers can also enable the Advanced DDoS systems when the prefixes are ready, change the sensitivity level, or adjust the thresholds by contacting their account team. ::: \ No newline at end of file