From 7226921d6bf7405759233975bcd74a5feeb4d587 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Mon, 18 Aug 2025 13:46:09 -0700 Subject: [PATCH] faq entry --- .../docs/ddos-protection/about/components.mdx | 6 +++--- .../about/how-ddos-protection-works.mdx | 4 ++-- src/content/docs/ddos-protection/about/index.mdx | 2 +- .../ddos-protection/best-practices/third-party.mdx | 6 +++--- .../ddos-protection/change-log/http/2022-07-06.mdx | 2 +- .../ddos-protection/frequently-asked-questions.mdx | 12 +++++++++++- .../managed-rulesets/adaptive-protection.mdx | 6 +++--- .../http/http-overrides/override-examples.mdx | 12 ++++++------ 8 files changed, 30 insertions(+), 20 deletions(-) diff --git a/src/content/docs/ddos-protection/about/components.mdx b/src/content/docs/ddos-protection/about/components.mdx index 55d5be49cc04f05..75dd946325ea9d9 100644 --- a/src/content/docs/ddos-protection/about/components.mdx +++ b/src/content/docs/ddos-protection/about/components.mdx @@ -14,12 +14,12 @@ import { GlossaryTooltip } from "~/components" The Cloudflare Autonomous Edge is powered by the denial-of-service daemon (`dosd`), which is a home-grown software-defined system. The flow tracking daemon, `flowtrackd`, is our stateful mitigation platform alongside `dosd`. A `dosd` instance runs in every single server in every one of [Cloudflare global network's data centers](https://www.cloudflare.com/network/) around the world. These `dosd` instances can detect and mitigate DDoS attacks autonomously without requiring centralized consensus. Cloudflare users can configure this system through [DDoS Attack Protection managed rulesets](/ddos-protection/managed-rulesets/). -Another component of Cloudflare’s Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection. +Another component of Cloudflare's Autonomous Edge includes the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system. This is Cloudflare's TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies — such as the case of [Magic Transit](/magic-transit/). Advanced TCP Protection is able to identify the state of a TCP connection and then drops, challenges, or rate-limits packets that do not belong to a legitimate connection. -For more information, refer to our blog post [A deep-dive into Cloudflare’s autonomous edge DDoS protection](https://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/). +For more information, refer to our blog post [A deep-dive into Cloudflare's autonomous edge DDoS protection](https://blog.cloudflare.com/deep-dive-cloudflare-autonomous-edge-ddos-protection/). ## Centralized DDoS protection system -Complementary to the Autonomous Edge, Cloudflare’s entire global network is overwatched by a global version of `dosd`. This component protects Cloudflare’s entire global network by detecting and mitigating globally distributed volumetric DDoS attacks. +Complementary to the Autonomous Edge, Cloudflare's entire global network is overwatched by a global version of `dosd`. This component protects Cloudflare's entire global network by detecting and mitigating globally distributed volumetric DDoS attacks. The centralized systems run in Cloudflare's core data centers. They receive samples from every global network data center, analyze them, and automatically send mitigation instructions when detecting an attack. The system is also synchronized to each of our customers' web servers to identify their health and trigger any required mitigation actions. diff --git a/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx b/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx index d15f75f6c38152f..9120bc0828d0e18 100644 --- a/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx +++ b/src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx @@ -11,13 +11,13 @@ learning_center: import { GlossaryTooltip } from "~/components" -To detect and mitigate DDoS attacks, Cloudflare’s autonomous edge and centralized DDoS systems analyze traffic samples out of path, which allows Cloudflare to asynchronously detect DDoS attacks without causing latency or impacting performance. +To detect and mitigate DDoS attacks, Cloudflare's autonomous edge and centralized DDoS systems analyze traffic samples out of path, which allows Cloudflare to asynchronously detect DDoS attacks without causing latency or impacting performance. The analyzed samples include: - **Packet fields** such as the source IP, source port, destination IP, destination port, protocol, TCP flags, sequence number, options, and packet rate. - **HTTP request metadata** such as HTTP headers, user agent, query-string, path, host, HTTP method, HTTP version, TLS cipher version, and request rate. -- **HTTP response metrics** such as error codes returned by customers’ origin servers and their rates. +- **HTTP response metrics** such as error codes returned by customers' origin servers and their rates. Cloudflare uses a set of dynamic rules that scan for attack patterns, known attack tools, suspicious patterns, protocol violations, requests causing large amounts of origin errors, excessive traffic hitting the origin or cache, and additional attack vectors. Each rule has a predefined sensitivity level and default action that varies based on the rule's confidence that the traffic is indeed part of an attack. diff --git a/src/content/docs/ddos-protection/about/index.mdx b/src/content/docs/ddos-protection/about/index.mdx index 22ca6fa72dc6953..26fcc61099ad2d3 100644 --- a/src/content/docs/ddos-protection/about/index.mdx +++ b/src/content/docs/ddos-protection/about/index.mdx @@ -13,7 +13,7 @@ import { GlossaryTooltip } from "~/components" Cloudflare provides unmetered and unlimited distributed denial-of-service (DDoS) protection at layers 3, 4, and 7 to all customers on all plans and services. -The protection is enabled by Cloudflare’s [Autonomous DDoS Protection Edge](/ddos-protection/about/components/#autonomous-edge), which automatically detects and mitigates DDoS attacks. +The protection is enabled by Cloudflare's [Autonomous DDoS Protection Edge](/ddos-protection/about/components/#autonomous-edge), which automatically detects and mitigates DDoS attacks. The Autonomous Edge includes multiple dynamic mitigation rules exposed as [managed rulesets](/ddos-protection/managed-rulesets/), which provide comprehensive protection against a variety of DDoS attacks across layers 3/4 and layer 7 of the OSI model. diff --git a/src/content/docs/ddos-protection/best-practices/third-party.mdx b/src/content/docs/ddos-protection/best-practices/third-party.mdx index a8532fdb68ff4c4..7d5bcaaf2ba4901 100644 --- a/src/content/docs/ddos-protection/best-practices/third-party.mdx +++ b/src/content/docs/ddos-protection/best-practices/third-party.mdx @@ -32,13 +32,13 @@ If you are using a CDN or proxy in front of Cloudflare, it is recommended that y - `HTTP requests with unusual HTTP headers or URI path (signature #57)` with the rule ID - `Requests coming from known bad sources` with the rule ID -You should change the rule’s action to _Log_ (only available on Enterprise plans) to view the flagged traffic in the [analytics dashboard](/ddos-protection/reference/analytics/). Alternatively, change the rule's **Sensitivity Level** to _Essentially Off_ to prevent the rule from being triggered. +You should change the rule's action to _Log_ (only available on Enterprise plans) to view the flagged traffic in the [analytics dashboard](/ddos-protection/reference/analytics/). Alternatively, change the rule's **Sensitivity Level** to _Essentially Off_ to prevent the rule from being triggered. For more information, refer to [HTTP DDoS Attack Protection managed ruleset: Ruleset configuration](/ddos-protection/managed-rulesets/http/#ruleset-configuration). ## Using VPNs, NATs, and other third-party services -Some Cloudflare Magic Transit customers operate Virtual Private Networks (VPN) so that their remote employees can connect securely to the organization’s services. Additionally, larger organizations have Network Addressing Translation (NAT) systems that manage connections in and out of their network. +Some Cloudflare Magic Transit customers operate Virtual Private Networks (VPN) so that their remote employees can connect securely to the organization's services. Additionally, larger organizations have Network Addressing Translation (NAT) systems that manage connections in and out of their network. Cloudflare Magic Transit customers may also use third-party services such as Zoom, Webex, Microsoft Teams, and others for their internal organization communication. Because traffic to Cloudflare will be originating from a limited set of IP addresses belonging to these third-party services, it may appear as if the services are launching a DDoS attack against Cloudflare due to the amount of traffic from limited IP addresses. @@ -51,4 +51,4 @@ If your organization uses VPNs, NATs, or third-party services at high rates of o - Change the **Sensitivity Level** of the relevant rules to a lower level. Changing the level to _Essentially Off_ will prevent the rules from being triggered. Refer to [HTTP DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/http/) and [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/) for more information on the available adjustments per ruleset and how to perform them. - Exclude the desired traffic from the Managed DDoS rule using expression filters. You can exclude a combination of source ports, source IP addresses, destination ports, destination IP addresses, and protocol. For more information, refer to [Configure Network-layer DDoS Attack Protection via API](/ddos-protection/managed-rulesets/network/network-overrides/configure-api/). -If you are on an Enterprise plan, you can change a rule’s action to _Log_ to view the flagged traffic in the [analytics dashboard](/ddos-protection/reference/analytics/). After gathering this information, you can later define rule adjustments as previously described. +If you are on an Enterprise plan, you can change a rule's action to _Log_ to view the flagged traffic in the [analytics dashboard](/ddos-protection/reference/analytics/). After gathering this information, you can later define rule adjustments as previously described. diff --git a/src/content/docs/ddos-protection/change-log/http/2022-07-06.mdx b/src/content/docs/ddos-protection/change-log/http/2022-07-06.mdx index 678498ce10e1bd9..418f713e03e8281 100644 --- a/src/content/docs/ddos-protection/change-log/http/2022-07-06.mdx +++ b/src/content/docs/ddos-protection/change-log/http/2022-07-06.mdx @@ -27,7 +27,7 @@ sidebar: Added new Location-Aware DDoS Protection for Enterprise accounts that are subscribed to the Advanced DDoS service. Location Aware DDoS - Protection constantly learns a zone’s traffic levels per country and + Protection constantly learns a zone's traffic levels per country and region over time, creates a traffic profile and then flags or mitigates traffic that deviates from the profile. diff --git a/src/content/docs/ddos-protection/frequently-asked-questions.mdx b/src/content/docs/ddos-protection/frequently-asked-questions.mdx index 0f469c7c189248b..ffcd7aec191e434 100644 --- a/src/content/docs/ddos-protection/frequently-asked-questions.mdx +++ b/src/content/docs/ddos-protection/frequently-asked-questions.mdx @@ -170,4 +170,14 @@ DDoS managed rules and Advanced DDoS Protection are autonomous and run on every - **DDoS managed rules**: Detects and mitigates DDoS attacks in real-time. When it detects an attack, it deploys rules within seconds to mitigate the malicious traffic. - **Advanced TCP Protection**: Identifies and drops abnormal TCP/IP behavior before it hits application servers. -- **Advanced DNS Protection**: Identifies and drops abnormal DNS queries behavior before it hits DNS servers. \ No newline at end of file +- **Advanced DNS Protection**: Identifies and drops abnormal DNS queries behavior before it hits DNS servers. + +--- + +## What is Advanced TCP Protection's Protected Learning functionality? + +The Protected Learning functionality enables the [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) system to overcome Internet routing chaos while allowing your legitimate traffic through and blocking DDoS attacks at the edge. + +Anycast and BGP are protocols that help route Internet traffic by sending it to the nearest or most optimal data center. Occasional network events—such as a data center being taken offline for maintenance or changes in Internet routing—can cause an established connection to be rerouted to a different data center. + +Cloudflare's flow inference functionality, also known as Protected Learning, is specifically designed to handle this. When a TCP connection, such as a flow, shifts to a new data center, our system observes that it is an existing connection that does not appear in the local flow table. Instead of immediately blocking the flow as an unknown connection that may be part of a DDoS attack, our system uses a proprietary process to verify if the connection is legitimate. It might challenge the acknowledgment (ACK) packets of the flow to ensure it is not part of a DDoS attack. Once the flow passes our checks, we allow it to continue without interruption. This ensures that even rare, legitimate shifts in traffic do not break your long-running connections while keeping your network protected against DDoS attacks. diff --git a/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx b/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx index f7bf116870d0b91..aa4e27781fc925a 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx @@ -15,8 +15,8 @@ Adaptive DDoS Protection provides the following types of protection: - **Adaptive DDoS Protection for Origins**: Detects and mitigates traffic that deviates from your site's origin errors profile. - **Adaptive DDoS Protection for User-Agents**: Detects and mitigates traffic that deviates from the top User Agents seen by Cloudflare on the network. The User Agent profile is built from the entire Cloudflare network and not only from the customer's zone. -- **Adaptive DDoS Protection for Locations**: Detects and mitigates traffic that deviates from your site’s geo-distribution profile. The profile is calculated from the rate for every client country and region, using the rates from the past seven days. -- **Adaptive DDoS Protection for Protocols**: Detects and mitigates traffic that deviates from your traffic’s IP protocol profile. The profile is calculated as a global rate for each of your prefixes. +- **Adaptive DDoS Protection for Locations**: Detects and mitigates traffic that deviates from your site's geo-distribution profile. The profile is calculated from the rate for every client country and region, using the rates from the past seven days. +- **Adaptive DDoS Protection for Protocols**: Detects and mitigates traffic that deviates from your traffic's IP protocol profile. The profile is calculated as a global rate for each of your prefixes. ## Availability @@ -39,7 +39,7 @@ Cloudflare Adaptive DDoS Protection is available to Enterprise customers accordi Adaptive DDoS Protection creates a traffic profile by looking at the maximum rates of traffic every day, for the past seven days. These profiles are recalculated every day, keeping the seven-day time window. Adaptive DDoS Protection stores the maximal traffic rates seen for every predefined dimension value (the profiling dimension varies for each rule). Every profile uses one dimension, such as the source country of the request, the user agent, and the IP protocol. Incoming traffic that deviates from your profile may be malicious. -To eliminate outliers, rate calculations only consider the 95th percentile rates (discarding the top 5% of the highest rates). Cloudflare requires a minimum amount of requests per second (rps) to build traffic profiles. HTTP Adaptive DDoS Protection rules also take into account Cloudflare’s [Machine Learning (ML) models](/bots/concepts/bot-score/#machine-learning) to identify traffic that is likely automated. +To eliminate outliers, rate calculations only consider the 95th percentile rates (discarding the top 5% of the highest rates). Cloudflare requires a minimum amount of requests per second (rps) to build traffic profiles. HTTP Adaptive DDoS Protection rules also take into account Cloudflare's [Machine Learning (ML) models](/bots/concepts/bot-score/#machine-learning) to identify traffic that is likely automated. Cloudflare may change the logic of these protection rules from time to time to improve them. Any rule changes will appear in the [Managed rulesets changelog](/ddos-protection/change-log/) page. diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx index 3398667947f844f..da3071c2393e263 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx @@ -30,7 +30,7 @@ If you recognize that the traffic flagged by an adaptive rule may be considered A false positive is an incorrect identification. In the case of DDoS protection, there is a false positive when legitimate traffic is mistakenly classified as attack traffic. This can occur when legacy applications, Internet services, or faulty client applications generate legitimate traffic that appears suspicious, has odd traffic patterns, deviates from best practices, or violates protocols. -In these cases, Cloudflare’s DDoS Protection systems may flag that traffic as malicious and apply mitigation actions. If the traffic is in fact legitimate and not part of an attack, the mitigation actions can cause service disruptions and outages to your Internet properties. +In these cases, Cloudflare's DDoS Protection systems may flag that traffic as malicious and apply mitigation actions. If the traffic is in fact legitimate and not part of an attack, the mitigation actions can cause service disruptions and outages to your Internet properties. To remedy a false positive: @@ -51,7 +51,7 @@ To remedy a false positive: 4. Copy the rule name. 5. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration. 6. Select **Browse rules** and paste the rule name in the search field. -7. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions). +7. Decrease the rule's **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions). 8. Select **Next** and then select **Save**. @@ -71,7 +71,7 @@ To remedy a false positive: 4. Copy the rule name. 5. Go to your zone > **Security** > **Security rules** > **DDoS protection** tab and select **Create override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration. 6. Select **Browse rules** and paste the rule name in the search field. -7. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions). +7. Decrease the rule's **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions). 8. Select **Next** and then select **Save**. @@ -84,7 +84,7 @@ Later, you can change the [sensitivity level](/ddos-protection/managed-rulesets/ :::note[Recommendation: Enable DDoS alerts] -Cloudflare recommends that you create notifications for [DDoS alerts](/ddos-protection/reference/alerts/) to get real-time notifications on detected and mitigated attacks automatically performed by Cloudflare’s systems. When you receive these notifications, you can review if it is in fact a real DDoS attack, or if it is a false positive, and then take action to remedy it. +Cloudflare recommends that you create notifications for [DDoS alerts](/ddos-protection/reference/alerts/) to get real-time notifications on detected and mitigated attacks automatically performed by Cloudflare's systems. When you receive these notifications, you can review if it is in fact a real DDoS attack, or if it is a false positive, and then take action to remedy it. ::: #### Avoid false positives while retaining protection and visibility @@ -132,7 +132,7 @@ If you are experiencing a DDoS attack detected by Cloudflare and the applied mit 4. Copy the rule name. 5. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration. 6. Select **Browse rules** and paste the rule name in the search field. -7. Change the rule’s **Action** to *Block*. +7. Change the rule's **Action** to *Block*. 8. Select **Next** and then select **Save**. @@ -152,7 +152,7 @@ If you are experiencing a DDoS attack detected by Cloudflare and the applied mit 4. Copy the rule name. 5. Go to your zone > **Security** > **Security rules** > **DDoS protection** tab and select **Create override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration. 6. Select **Browse rules** and paste the rule name in the search field. -7. Change the rule’s **Action** to *Block*. +7. Change the rule's **Action** to *Block*. 8. Select **Next** and then select **Save**.