ddos updates (cloudflare#17149)

Author: patriciasantaana

src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx

@@ -16,8 +16,34 @@ The analyzed samples include:
 - **HTTP request metadata** such as HTTP headers, user agent, query-string, path, host, HTTP method, HTTP version, TLS cipher version, and request rate.
 - **HTTP response metrics** such as error codes returned by customers’ origin servers and their rates.
 
+Cloudflare uses a set of dynamic rules that scan for attack patterns, known attack tools, suspicious patterns, protocol violations, requests causing large amounts of origin errors, excessive traffic hitting the origin or cache, and additional attack vectors. Each rule has a predefined sensitivity level and default action that varies based on the rule's confidence that the traffic is indeed part of an attack.
+
+:::note
+
+You can set an override expression for the [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/override-expressions/) or [Network-layer DDoS Attack Protection](/ddos-protection/managed-rulesets/network/override-expressions/) managed ruleset to define a specific scope for sensitivity level or action adjustments.
+:::
+
 Once attack traffic matches a rule, Cloudflare's systems will track that traffic and generate a real-time signature to surgically match against the attack pattern and mitigate the attack without impacting legitimate traffic. The rules are able to generate different signatures based on various properties of the attacks and the signal strength of each attribute. For example, if the attack is distributed — that is, originating from many source IPs — then the source IP field will not serve as a strong indicator, and the rule will not choose the source IP field as part of the attack signature. Once generated, the fingerprint is propagated as a mitigation rule to the most optimal location on the Cloudflare global network for cost-efficient mitigation. These mitigation rules are ephemeral and will expire shortly after the attack has ended, which happens when no additional traffic has been matched to the rule.
 
+| Actions | Description |
+| --- | --- |
+| Block | Matching requests are denied access to the site. |
+| Interactive Challenge | The client that made the request must pass an interactive Challenge. |
+| Managed Challenge | Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge. |
+| Log | Records matching requests in the Cloudflare Logs. |
+| Use rule defaults | Uses the default action that is pre-defined for each rule. | 
+
+:::note
+
+DDoS attack traffic is automatically excluded from billing systems.
+:::
+
+## Time to mitigate
+
+- Immediate mitigation for Advanced TCP and DNS Protection systems.
+- Up to three seconds on average for the detection and mitigation of L3/4 DDoS attacks at the edge using the Network-layer DDoS Protection Managed rules.
+- Up to 15 seconds on average for the detection and mitigation of HTTP DDoS attacks at the edge using the HTTP DDoS Protection Managed rules.
+
 ## Data localization
 
 To learn more about how DDoS protection works with data localization, refer to the Data Localization Suite [product compatibility](/data-localization/compatibility/).

src/content/docs/ddos-protection/managed-rulesets/http/configure-api.mdx

@@ -37,9 +37,7 @@ You can create overrides at the zone level and at the account level. Account-lev
 Only available to Enterprise customers with the Advanced DDoS Protection subscription, which can create up to 10 rules.
 :::
 
-Create multiple rules in the `ddos_l7` phase entry point ruleset to define different overrides for different sets of incoming requests. Set each rule expression according to the traffic whose HTTP DDoS protection you wish to customize.
-
-Rules in the phase entry point ruleset, where you create overrides, are evaluated in order until there is a match for a rule expression and sensitivity level, and Cloudflare will apply the first rule that matches the request. Therefore, the rule order in the entry point ruleset is very important.
+<Render file="managed-rulesets/evaluation-behavior" />
 
 ## Example API calls
 

src/content/docs/ddos-protection/managed-rulesets/http/configure-dashboard.mdx

@@ -22,6 +22,8 @@ If you are an Enterprise customer with the Advanced DDoS Protection subscription
 If you cannot deploy any additional overrides, consider editing an existing override to adjust rule configuration. 
 :::
 
+<Render file="managed-rulesets/evaluation-behavior" />
+
 ## Create a DDoS override
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and website.

src/content/partials/ddos-protection/managed-rulesets/evaluation-behavior.mdx

@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+import { Markdown } from "~/components"
+
+Create multiple rules in the `ddos_l7` phase entry point ruleset to define different overrides for different sets of incoming requests. Set each rule expression according to the traffic whose HTTP DDoS protection you wish to customize.
+
+Rules in the phase entry point ruleset, where you create overrides, are evaluated in order until there is a match for a rule expression and sensitivity level, and Cloudflare will apply the first rule that matches the request. Therefore, the rule order in the entry point ruleset is very important.

src/content/partials/ddos-protection/managed-rulesets/sensitivity-level-reference.mdx

@@ -19,3 +19,7 @@ The available sensitivity levels are:
 The default sensitivity level is *High*.
 
 In most cases, when you select the *Essentially Off* sensitivity level the rule will not trigger for any of the selected actions, including *Log*. However, if the attack is extremely large, Cloudflare's protection systems will still trigger the rule's mitigation action to protect Cloudflare's network.
+
+*Essentially Off* means that we have set an exceptionally low sensitivity level so in most cases traffic will not be mitigated for you. However, attack traffic will be mitigated at exceptional levels to ensure the safety and stability of the Cloudflare network.
+
+**Log** means that requests will not be mitigated but only logged and shown on the dashboard. However, attack traffic will be mitigated at exceptional levels to ensure the safety and stability of the Cloudflare network.