DDoS Protection
Cloudflare automatically detects and mitigates DDoS attacks using its Autonomous Edge, which is always-on. Advanced protections are reserved for Magic Transit customers.
| OSI Layer | Ruleset / Feature | Example of covered DDoS attack vectors |
|---|---|---|
| L3/4 | Network-layer DDoS Attack Protection | UDP flood attack SYN floods SYN-ACK reflection attack ACK floods Mirai and Mirai-variant L3/4 attacks ICMP flood attack SNMP flood attack QUIC flood attack Out of state TCP attacks Protocol violation attacks SIP attacks ESP flood DNS amplification attack DNS Garbage Flood DNS NXDOMAIN flood DNS Query flood For more DNS protection options, refer to Getting additional DNS protection. |
| L3/4 | Advanced TCP Protection 1 | Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks |
| L7 | Advanced DNS Protection 1 | Sophisticated and fully randomized DNS attacks, including random-prefix attacks and DNS laundering attacks |
| L7 (HTTP/HTTPS) | HTTP DDoS Attack Protection | HTTP flood attack WordPress pingback attack HULK attack LOIC attack Slowloris attack Mirai and Mirai-variant HTTP attacks |
Refer to the learning path Prevent DDoS attacks to dive deeper into this subject.