Skip to content

HTTP DDoS Attack Protection

The Cloudflare HTTP DDoS Attack Protection managed ruleset is a set of pre-configured rules used to match known DDoS attack vectors at layer 7 (application layer) on the Cloudflare global network. The rules match known attack patterns and tools, suspicious patterns, protocol violations, requests causing large amounts of origin errors, excessive traffic hitting the origin/cache, and additional attack vectors at the application layer.

Cloudflare updates the list of rules in the managed ruleset on a regular basis. Refer to the changelog for more information on recent and upcoming changes.

The HTTP DDoS Attack Protection managed ruleset is always enabled — you can only customize its behavior.

The HTTP DDoS Attack Protection managed ruleset provides users with increased observability into L7 DDoS attacks mitigated by Cloudflare, informing users of ongoing or past attacks. The Security Events dashboard, available at Security > Events, will display information about the top HTTP DDoS managed rules.

Ruleset configuration

If you are expecting large spikes of legitimate traffic, consider customizing your DDoS protection settings to avoid false positives, where legitimate traffic is falsely identified as attack traffic and blocked/challenged.

You can adjust the behavior of the rules in the managed ruleset by modifying the following parameters:

  • The performed action when an attack is detected.
  • The sensitivity level of attack detection mechanisms.

To adjust rule behavior, do one of the following:

For more information on the available configuration parameters, refer to Managed ruleset parameters.

Origin Protect rules

Cloudflare HTTP DDoS Protection can also initiate mitigation based on the origin health. Floods of requests that cause a high number of zone errors (default sensitivity level is 1,000 errors per second) can initiate mitigation to alleviate the strain on the zone.

Rule IDDescription
dd42da7baabe4e518eaf11c393596a9dHTTP requests causing a high number of origin errors.

The rule is adaptive for zones on the Pro, Business, or Enterprise plan. It performs an additional check for better detection accuracy: the errors-per-second rate must also be at least five times the normal traffic levels.

All HTTP errors in the 52x range (Internal Server Error) and all errors in the 53x range excluding 530 are considered when factoring in the error rate.

Availability

The HTTP DDoS Attack Protection managed ruleset protects Cloudflare customers on all plans for zones onboarded to Cloudflare. All customers can customize the ruleset both at the zone level and at the account level.

Customers on Enterprise plans with the Advanced DDoS Protection subscription can create up to 10 overrides (or up to 10 rules, for API users) with custom expressions, to customize the DDoS protection for different incoming requests.

Other customers can only create one override (or rule) and they cannot customize the rule expression. In this case, the single override, containing one or more configurations, will always apply to all incoming traffic.

To block additional L7 attacks you can use other Cloudflare products like the Cloudflare WAF.