Skip to content

[DDoS Protection] New nav instructions for overrides #24092

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 31, 2025
Merged

[DDoS Protection] New nav instructions for overrides #24092

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 74 additions & 26 deletions ...docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,19 @@ head:
content: Override examples for HTTP DDoS Attack Protection
---

import { Details, GlossaryTooltip } from "~/components"
import { Details, GlossaryTooltip, Tabs, TabItem } from "~/components"

## Use cases

The following scenarios detail how you can make use of override rules as a solution to common HTTP DDoS Protection issues.

### Traffic from your mobile application is blocked by a DDoS Managed Rule

The traffic from your mobile application may have appeared suspicious, causing a DDoS Managed Rule to block it.
The traffic from your mobile application may have appeared suspicious, causing a DDoS Managed Rule to block it.

You should identify the Managed Rule blocking the traffic and change the sensitivity level to `Medium`. If traffic continues to be blocked by the managed rule, set the sensitivity level to `Low` or `Essentially off`.

If you have access to filter expressions, you can create an override to target the specific affected traffic.
If you have access to filter expressions, you can create an override to target the specific affected traffic.

### Traffic is flagged by an adaptive rule based on the location and may be an attack

Expand All @@ -34,23 +34,47 @@ In these cases, Cloudflare’s DDoS Protection systems may flag that traffic as

To remedy a false positive:

<Tabs syncKey="dashNewNav"> <TabItem label="Old dashboard">

1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
2. Go to the analytics dashboard and apply filters to the displayed data.
<Details header="For WAF/CDN customers">
1. Select the zone that is experiencing DDoS attack false positives.
2. Go to **Security** > **Events**.
3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
</Details>
<Details header="For Magic Transit and Spectrum customers">
1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
2. Identify the legitimate traffic that is causing the false positives. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
</Details>
3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
4. Copy the rule name.
5. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
6. Select **Browse rules** and paste the rule name in the search field.
7. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions).
8. Select **Next** and then select **Save**.

</TabItem> <TabItem label="New dashboard" icon="rocket">

1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
2. Go to the analytics dashboard and apply filters to the displayed data.
<Details header="For WAF/CDN customers">
3. Select the zone that is experiencing DDoS attack false positives.
4. Go to **Security** > **Events**.
5. Select **Add filter** and filter by `Service equals HTTP DDoS`.
1. Select the zone that is experiencing DDoS attack false positives.
2. Go to **Security** > **Analytics** > **Events** tab.
3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
</Details>
<Details header="For Magic Transit and Spectrum customers">
6. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
7. Identify the legitimate traffic that is causing the false positives. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
1. Identify the legitimate traffic that is causing the false positives. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
</Details>
8. Scroll down to **Top events by source** > **HTTP DDoS rules**.
9. Copy the rule name.
10. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
11. Select **Browse rules** and paste the rule name in the search field.
12. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions).
13. Select **Next** and then select **Save**.
3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
4. Copy the rule name.
5. Go to your zone > **Security** > **Security rules** > **DDoS protection** tab and select **Create override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
6. Select **Browse rules** and paste the rule name in the search field.
7. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions).
8. Select **Next** and then select **Save**.

</TabItem> </Tabs>

Once saved, the rule takes effect within one or two minutes. The rule adjustment should provide immediate remedy, which you can view in the [analytics dashboard](/ddos-protection/reference/analytics/).

Expand Down Expand Up @@ -91,29 +115,53 @@ The system chooses the mitigation action based on the logic and the DDoS protect

If you are experiencing a DDoS attack detected by Cloudflare and the applied mitigation action is not sufficiently strict, change the rule action to _Block_:

<Tabs syncKey="dashNewNav"> <TabItem label="Old dashboard">

1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
2. Go to the analytics dashboard and apply filters to the displayed data.
<Details header="For WAF/CDN customers">
1. Select the zone that is experiencing an incomplete mitigation of a DDoS attack.
2. Go to **Security** > **Events**.
3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
</Details>
<Details header="For Magic Transit and Spectrum customers">
1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
2. Identify the DDoS attack that is having incomplete mitigations. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
</Details>
3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
4. Copy the rule name.
5. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
6. Select **Browse rules** and paste the rule name in the search field.
7. Change the rule’s **Action** to *Block*.
8. Select **Next** and then select **Save**.

</TabItem> <TabItem label="New dashboard" icon="rocket">

1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
2. Go to the analytics dashboard and apply filters to the displayed data.
<Details header="For WAF/CDN customers">
3. Select the zone that is experiencing an incomplete mitigation of a DDoS attack.
4. Go to **Security** > **Events**.
5. Select **Add filter** and filter by `Service equals HTTP DDoS`.
1. Select the zone that is experiencing an incomplete mitigation of a DDoS attack.
2. Go to **Security** > **Analytics** > **Events** tab.
3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
</Details>
<Details header="For Magic Transit and Spectrum customers">
6. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
7. Identify the DDoS attack that is having incomplete mitigations. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
2. Identify the DDoS attack that is having incomplete mitigations. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
</Details>
8. Scroll down to **Top events by source** > **HTTP DDoS rules**.
9. Copy the rule name.
10. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
11. Select **Browse rules** and paste the rule name in the search field.
12. Change the rule’s **Action** to *Block*.
13. Select **Next** and then select **Save**.
3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
4. Copy the rule name.
5. Go to your zone > **Security** > **Security rules** > **DDoS protection** tab and select **Create override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
6. Select **Browse rules** and paste the rule name in the search field.
7. Change the rule’s **Action** to *Block*.
8. Select **Next** and then select **Save**.

</TabItem> </Tabs>

Once saved, the rule takes effect within one or two minutes. The rule adjustment should provide immediate remedy, which you can view in the [analytics dashboard](/ddos-protection/reference/analytics/).

#### Alternate procedure

If you cannot stop an attack from overloading your origin web server using the above steps, [contact Cloudflare Support](/support/contacting-cloudflare-support/) for assistance, providing the following details:
If you cannot stop an attack from overloading your origin web server using the above steps, [contact Cloudflare Support](/support/contacting-cloudflare-support/) for assistance, providing the following details:

- Time period of the attack (UTC timestamp)
- Domain/path being targeted (zone name/ID)
Expand Down