Setup

In order to enable automatic mitigation of random prefix attacks:

1. Set up DNS Firewall.

2. Send a PATCH request to update your DNS Firewall cluster.

   curl --request PATCH "https://api.cloudflare.com/client/v4/accounts/{account_id}/dns_firewall/{cluster_tag}" \
   --header "Authorization: Bearer <API_TOKEN>" \
   --header "Content-Type: application/json" \
   --data '{
     "attack_mitigation": {
       "enabled": true,
       "only_when_upstream_unhealthy": true
     }
   }'

Once you receive a 200 success response from the API, queries identified as being part of a random prefix attack will receive a REFUSED response.

Note

If you do not specify otherwise in your API call, Cloudflare automatically sets the "only_when_upstream_unhealthy" parameter to true, which means that Cloudflare will only mitigate attacks when we detect that the upstream is unresponsive (possibly as a result of an attack). This setting can also be changed via the API, using a request similar to the ones shown above.