cloudflare · pedrosousa · Feb 12, 2025 · Feb 12, 2025
@@ -20,7 +20,7 @@ As a general guideline, various Cloudflare products operate on different open sy
 
 :::note
 
-For Magic Transit customers, Cloudflare provides some L7 protection with a L3 service (like the Advanced DNS Protection system that is available for Magic Transit customers. DNS is considered a L7 protocol). 
+For Magic Transit customers, Cloudflare provides some L7 protection with a L3 service (like the Advanced DNS Protection system that is available for Magic Transit customers. DNS is considered a L7 protocol).
 :::
 
 The following table includes a sample of covered attack vectors:

@@ -31,7 +31,7 @@ Once attack traffic matches a rule, Cloudflare's systems will track that traffic
 | Interactive Challenge | The client that made the request must pass an interactive Challenge. |
 | Managed Challenge | Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge. |
 | Log | Records matching requests in the Cloudflare Logs. |
-| Use rule defaults | Uses the default action that is pre-defined for each rule. | 
+| Use rule defaults | Uses the default action that is pre-defined for each rule. |
 
 ## Thresholds
 

@@ -78,7 +78,7 @@ The `expression` field is a [Rules language expression](/ruleset-engine/rules-la
 
 :::note
 
-Expressions of SYN flood protection and out-of-state TCP protection filters do not currently support functions. 
+Expressions of SYN flood protection and out-of-state TCP protection filters do not currently support functions.
 :::
 
 The `mode` value must be one of `enabled`, `disabled`, or `monitoring`.
@@ -100,7 +100,7 @@ The default rate sensitivity and recommended setting is _Low_. You should only i
 
 ## Filter
 
-<Render file="atp-filter-definition" /> 
+<Render file="atp-filter-definition" />
 
 The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional.
 

@@ -31,16 +31,16 @@ To create a [SYN flood rule](/ddos-protection/advanced-ddos-systems/overview/adv
 
 ## Create an Advanced DNS Protection rule
 
-1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. 
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account.
 2. Go to **L3/4 DDoS** > **Advanced Protection** > **General settings**.
 3. Add the prefixes you wish to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action.
    :::note
 
    Currently, the list of onboarded prefixes is shared with Advanced TCP Protection. Any onboarded prefixes will be subject to both Advanced TCP Protection and Advanced DNS Protection, assuming that your account team has done the initial configuration of both systems. However, you can leave Advanced TCP Protection in monitoring mode.
    :::
-4. Go to **Advanced DNS Protection**. 
-5. Select **Create Advanced DNS Protection rule**. 
+4. Go to **Advanced DNS Protection**.
+5. Select **Create Advanced DNS Protection rule**.
 6. In **Mode**, select a mode for the rule.
-7. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope) to determine the range of packets that will be affected by the rule. 
-8. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity), [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity), and [profile sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#profile-sensitivity) to determine when to initiate mitigation. 
+7. Under **Set scope**, select a [scope](/ddos-protection/advanced-ddos-systems/concepts/#scope) to determine the range of packets that will be affected by the rule.
+8. Under **Sensitivity**, define the [burst sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity), [rate sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#rate-sensitivity), and [profile sensitivity](/ddos-protection/advanced-ddos-systems/concepts/#profile-sensitivity) to determine when to initiate mitigation.
 9. Select **Deploy**.
@@ -26,11 +26,11 @@ General settings enable and control the use of the Advanced TCP Protection and t
 
 Thresholds are based on your network's unique traffic and are configured by Cloudflare. The sensitivity levels manipulate the thresholds.
 
-When you get access to Advanced DDoS Protection systems, you are automatically provisioned with default settings in monitoring mode. 
+When you get access to Advanced DDoS Protection systems, you are automatically provisioned with default settings in monitoring mode.
 
 Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the _High_, _Medium_, and _Low_ [sensitivities](/ddos-protection/advanced-ddos-systems/concepts/#burst-sensitivity) will be for your specific case.
 
-If needed, you can change the sensitivity levels that will manipulate the thresholds for Advanced TCP Protection and Advanced DNS Protection from the default settings. 
+If needed, you can change the sensitivity levels that will manipulate the thresholds for Advanced TCP Protection and Advanced DNS Protection from the default settings.
 
 Once thresholds are configured, the Advanced DDoS Protection systems have been initialized and enabled in monitoring mode.
 
@@ -44,7 +44,7 @@ You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact
 
 ### Rules
 
-[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/) for Advanced TCP and Advanced DNS Protection (as needed) to enable mitigation. 
+[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/) for Advanced TCP and Advanced DNS Protection (as needed) to enable mitigation.
 
 You can create a rule for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received <GlossaryTooltip term="data packet">packets</GlossaryTooltip>.
 

@@ -18,7 +18,7 @@ All customers should perform the following steps to better secure their applicat
 3. Make sure your origin is not exposed to the public Internet, meaning that access is only possible from [Cloudflare IP addresses](/fundamentals/concepts/cloudflare-ip-addresses/). As an extra security precaution, we recommend contacting your hosting provider and requesting new origin server IPs if they have been targeted directly in the past.
 4. If you have [Managed IP Lists](/waf/tools/lists/managed-lists/#managed-ip-lists) or [Bot Management](/bots/plans/bm-subscription/), consider using these in WAF custom rules.
 5. Enable [caching](/cache/) as much as possible to reduce the strain on your origin servers, and when using [Workers](/workers/), avoid overwhelming your origin server with more subrequests than necessary.
-   
+
    To help counter attack randomization, Cloudflare recommends to update your cache settings to exclude the query string as a cache key. When the query string is excluded as a cache key, Cloudflare's cache will take in unmitigated attack requests instead of forwarding them to the origin. The cache can be a useful mechanism as part of a multilayered security posture.
 
 ## Enterprise customers

@@ -11,11 +11,11 @@ head:
 
 The Cloudflare DDoS Botnet Threat Feed is a threat intelligence feed for service providers (SPs) such as hosting providers and Internet service providers (ISPs) that provides information about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. The feed aims to help service providers stop the abuse and reduce DDoS attacks originating from within their networks.
 
-Each offense is a mitigated HTTP request from the specific IP address. For example, if an IP has 3,000 offenses, it means that Cloudflare has mitigated 3,000 HTTP requests from that IP. 
+Each offense is a mitigated HTTP request from the specific IP address. For example, if an IP has 3,000 offenses, it means that Cloudflare has mitigated 3,000 HTTP requests from that IP.
 
 A service provider can only get information about IP addresses associated with their autonomous system numbers (ASNs). The affiliation of a service provider with their ASNs will be checked against [PeeringDB](https://www.peeringdb.com/), a reliable and globally recognized interconnection database.
 
-To ensure the feed's accuracy, Cloudflare will only include IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. 
+To ensure the feed's accuracy, Cloudflare will only include IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules.
 
 ## Context
 

@@ -18,7 +18,7 @@ This section contains past and upcoming changes to the [Network-layer DDoS Attac
 
 :::note
 
-The Network-layer DDoS Attack Protection managed ruleset protects Cloudflare customers on all plans. However, only [Magic transit](/magic-transit/) and [Spectrum](/spectrum/) customers on an Enterprise plan can customize the managed ruleset. 
+The Network-layer DDoS Attack Protection managed ruleset protects Cloudflare customers on all plans. However, only [Magic transit](/magic-transit/) and [Spectrum](/spectrum/) customers on an Enterprise plan can customize the managed ruleset.
 :::
 
 <LinkButton variant="primary" href="/ddos-protection/change-log/network/scheduled-changes/">View scheduled changes</LinkButton>
@@ -43,7 +43,7 @@ You must have one of the following:
 
 :::note
 
-The _Log_ action is only available to Enterprise customers. 
+The _Log_ action is only available to Enterprise customers.
 :::
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account.

@@ -13,7 +13,7 @@ import { Description, Feature, FeatureTable, GlossaryTooltip, Plan, RelatedProdu
 
 <Description>
 
-Detect and mitigate distributed denial-of-service (DDoS) attacks automatically. 
+Detect and mitigate distributed denial-of-service (DDoS) attacks automatically.
 </Description>
 
 <Plan type="all" />
@@ -27,11 +27,11 @@ These systems include multiple dynamic mitigation rules exposed as [DDoS attack
 ## Features
 
 <Feature header="Managed rulesets" href="/ddos-protection/managed-rulesets/">
-Protect against a variety of DDoS attacks across layers 3/4 (network layer) and layer 7 (application layer) of the OSI model. 
+Protect against a variety of DDoS attacks across layers 3/4 (network layer) and layer 7 (application layer) of the OSI model.
 </Feature>
 
 <Feature header="Adaptive DDoS protection" href="/ddos-protection/managed-rulesets/adaptive-protection/">
-Get increased protection against sophisticated DDoS attacks on layer 7 and layers 3/4. 
+Get increased protection against sophisticated DDoS attacks on layer 7 and layers 3/4.
 </Feature>
 
 <Feature header="Advanced TCP protection" href="/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/">
@@ -57,13 +57,13 @@ Protect against DNS-based DDoS attacks, specifically sophisticated and fully ran
 ## Related products
 
 <RelatedProduct header="Spectrum" href="/spectrum/" product="spectrum">
-Provides security and acceleration for any TCP or UDP based application. 
+Provides security and acceleration for any TCP or UDP based application.
 </RelatedProduct>
 
 <RelatedProduct header="Magic Transit" href="/magic-transit/" product="magic-transit">
-A network security and performance solution that offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks. 
+A network security and performance solution that offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks.
 </RelatedProduct>
 
 <RelatedProduct header="Web Application Firewall (WAF)" href="/waf/" product="waf">
-Get automatic protection from vulnerabilities and the flexibility to create custom rules. 
+Get automatic protection from vulnerabilities and the flexibility to create custom rules.
 </RelatedProduct>
@@ -33,7 +33,7 @@ Cloudflare Adaptive DDoS Protection is available to Enterprise customers accordi
 
 
 
-<sup>1</sup> _WAF/CDN customers on the Enterprise plan with the Advanced DDoS Protection subscription._<br/> 
+<sup>1</sup> _WAF/CDN customers on the Enterprise plan with the Advanced DDoS Protection subscription._<br/>
 <sup>2</sup> _Magic Transit and Spectrum BYOIP customers on an Enterprise plan._
 
 ## How it works

@@ -19,7 +19,7 @@ For more information on the available parameters and allowed values, refer to [R
 
 If you are an Enterprise customer with the Advanced DDoS Protection subscription, you can define up to 10 overrides. These overrides can have a custom expression so that the override only applies to a subset of incoming requests. If you do not have the Advanced DDoS Protection subscription, you can only deploy one override which will always apply to all incoming requests.
 
-If you cannot deploy any additional overrides, consider editing an existing override to adjust rule configuration. 
+If you cannot deploy any additional overrides, consider editing an existing override to adjust rule configuration.
 :::
 
 <Render file="managed-rulesets/evaluation-behavior" />

@@ -22,7 +22,7 @@ The available managed rulesets are:
 
 :::note
 
-Only available on Business and Enterprise plans. 
+Only available on Business and Enterprise plans.
 :::
 
 When Cloudflare creates a new managed rule, we check the rule impact against the traffic of Business and Enterprise zones while the rule is not blocking traffic yet.

@@ -25,7 +25,7 @@ When configuring the Network-layer DDoS Attack Protection managed ruleset, use o
 
 - The Network-layer DDoS Attack Protection managed ruleset is always enabled. You cannot disable its rules using an override with `"enabled": false`.
 - <Render file="managed-rulesets/read-only-rules-note" />
-- You can only define overrides for the Network-layer DDoS Attack Protection managed ruleset at the account level. 
+- You can only define overrides for the Network-layer DDoS Attack Protection managed ruleset at the account level.
 :::
 
 ## Example

@@ -36,7 +36,7 @@ For more information on the available parameters and allowed values, refer to [R
   <Details header="Configure one or more rules">
   12. Search for the rules you wish to override using the available filters. You can search for tags.
   13. To override a single rule, select the desired value for a field in the displayed dropdowns next to the rule.
-      
+
       To configure more than one rule, select the rules using the row checkboxes and update the fields for the selected rules using the dropdowns displayed before the table. You can also configure all the rules with a given tag. For more information, refer to [Configure rules in bulk in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-rules-in-bulk-in-a-managed-ruleset).
   14. Select **Next**.
   15. Enter a name for your override in **Execution name**.

@@ -27,7 +27,7 @@ Cloudflare automatically sends weekly summaries of detected and mitigated DDoS a
 
 :::note
 
- <Render file="alerts-and-reports-independent" /> 
+ <Render file="alerts-and-reports-independent" />
 :::
 
 ## Set up a notification for DDoS alerts
@@ -54,7 +54,7 @@ Cloudflare can issue notifications for different types of DDoS attack alerts.
 
 :::note
 
-The availability of advanced DDoS attack alerts depends on your Cloudflare plan and subscribed services. Refer to [Availability](#availability) for details. 
+The availability of advanced DDoS attack alerts depends on your Cloudflare plan and subscribed services. Refer to [Availability](#availability) for details.
 :::
 
 Advanced DDoS attack alerts support additional configuration, allowing you to filter the notifications you wish to receive.
@@ -74,8 +74,8 @@ The available alerts depend on your Cloudflare plan and subscribed services:
 | Layer 3/4 DDoS Attack Alert          |        –        | Yes<sup>2, 3</sup> |       Yes       | Yes<sup>3</sup> |
 | Advanced Layer 3/4 DDoS Attack Alert |        –        |          –         | Yes<sup>2</sup> | Yes<sup>2</sup> |
 
-<sup>1</sup> _Only available to Enterprise customers with the Advanced DDoS Protection subscription._ <br/> 
-<sup>2</sup> _Only available on an Enterprise plan._ <br/> 
+<sup>1</sup> _Only available to Enterprise customers with the Advanced DDoS Protection subscription._ <br/>
+<sup>2</sup> _Only available on an Enterprise plan._ <br/>
 <sup>3</sup> _Refer to [Final remarks](#final-remarks) for additional notes._
 
 ## Example notification

@@ -19,7 +19,7 @@ Additionally, if you are a Magic Transit or Spectrum BYOIP customer, you will re
 
 :::note[Note]
 
-To receive DDoS reports by email you must have opted in to the **Analytics** category in the [communication preferences](/fundamentals/setup/account/customize-account/communication-preference/) for your profile. 
+To receive DDoS reports by email you must have opted in to the **Analytics** category in the [communication preferences](/fundamentals/setup/account/customize-account/communication-preference/) for your profile.
 :::
 
 ## Weekly DDoS reports

@@ -19,6 +19,6 @@ You can only launch DDoS attacks against your own Internet properties — your z
 
 You do not have to obtain permission from Cloudflare to launch a DDoS attack simulation against your own Internet properties. However, before launching the simulated attack, you must [open a Support ticket](/support/contacting-cloudflare-support/) and provide the information below. All fields are mandatory.
 
-It is recommended that you choose the right service and enable the correct features to test against the corresponding DDoS attacks. For example, if you want to test Cloudflare against an HTTP DDoS attack and you are only using Magic Transit, the test is going to fail because you need to onboard your HTTP application to Cloudflare's reverse proxy service to test our HTTP DDoS Protection. 
+It is recommended that you choose the right service and enable the correct features to test against the corresponding DDoS attacks. For example, if you want to test Cloudflare against an HTTP DDoS attack and you are only using Magic Transit, the test is going to fail because you need to onboard your HTTP application to Cloudflare's reverse proxy service to test our HTTP DDoS Protection.
 
 <Render file="support-ticket-information" product="fundamentals" params={{ one: "Attack" }} />
-Original file line number
+Diff line change
@@ Expand Up @@
     :::note
-    For Magic Transit customers, Cloudflare provides some L7 protection with a L3 service (like the Advanced DNS Protection system that is available for Magic Transit customers. DNS is considered a L7 protocol).
+    For Magic Transit customers, Cloudflare provides some L7 protection with a L3 service (like the Advanced DNS Protection system that is available for Magic Transit customers. DNS is considered a L7 protocol).
     :::
     The following table includes a sample of covered attack vectors:
@@ Expand Down @@