Cloudflare Docs
DDoS Protection
Visit DDoS Protection on GitHub
Set theme to dark (⇧+D)

DDoS attack coverage

The DDoS Attack Protection managed rulesets provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these managed rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.

Advanced TCP Protection, available to Magic Transit customers, provides additional protection against sophisticated TCP-based DDoS attacks.

As a general guideline, Cloudflare customers are protected up to the layer on which their service operates. For example, a WAF customer is protected against DDoS attacks on Layer 7 (HTTP/HTTPS) all the way down including L3/4 attacks.

The following table includes a sample of covered attack vectors:

OSI Layer Ruleset / Feature Example of covered DDoS attack vectors
L3/4 Network-layer DDoS Attack Protection UDP flood attack
SYN floods
SYN-ACK reflection attack
ACK floods
Mirai and Mirai-variant L3/4 attacks
ICMP flood attack
SNMP flood attack
QUIC flood attack
Out of state TCP attacks
Protocol violation attacks
SIP attacks
ESP flood
DNS amplification attack
DNS Garbage Flood
DNS NXDOMAIN flood
DNS Query flood

For more DNS protection options, refer to Getting additional DNS protection.
L3/4 Advanced TCP Protection 1 Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks
L7 (HTTP/HTTPS) HTTP DDoS Attack Protection HTTP flood attack
WordPress pingback attack
HULK attack
LOIC attack
Slowloris attack
Mirai and Mirai-variant HTTP attacks

  1. Available to Magic Transit customers. ↩︎

​​ Getting additional DNS protection

The Network-layer DDoS Attack Protection managed ruleset provides protection against some types of DNS attacks. For advanced DNS protection, consider the following options:

  • Use Cloudflare as your authoritative DNS provider (primary DNS or secondary DNS).
  • If you are running your own nameservers, use DNS Firewall to get additional protection against DNS attacks like random prefix attacks.