DDoS Protection

Cloudflare automatically detects and mitigates DDoS attacks using its Autonomous Edge, which is always-on. Advanced protections are reserved for Magic Transit customers.

OSI Layer	Ruleset / Feature	Example of covered DDoS attack vectors
L3/4	Network-layer DDoS Attack Protection	ACK floods BitTorrent reflection attack Carpet Bombing attacks CHARGEN reflection attacks DNS amplification attack DNS Garbage Flood DNS NXDOMAIN flood DNS Query flood DTLS amplification attacks ESP flood GRE floods ICMP flood attack Jenkins amplification attacks Lantronix reflection attacks mDNS DDoS attacks Memcached amplification attacks Mirai and Mirai-variant L3/4 attacks MSSQL reflection attacks NetBios DDoS attacks Out of state TCP attacks Protocol violation attacks QUIC flood attack Quote of the Day (QOTD) reflection attacks RST flood SIP attacks SNMP flood attack SPSS reflection attacks SSDP reflection attacks SYN floods SYN-ACK reflection attack TeamSpeak 3 floods Ubiquity reflection attacks UDP flood attack VxWorks DDoS attacks For more DNS protection options, refer to Getting additional DNS protection.
L3/4	Advanced TCP Protection 1	Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks
L7 (DNS)	Advanced DNS Protection 1	Sophisticated and fully randomized DNS attacks, including Water Torture attacks, Random-prefix attacks, and DNS laundering attacks.
L7 (HTTP/S)	HTTP DDoS Attack Protection	Cache busting attacks Carpet Bombing attacks HTTP Continuation flood HTTP flood attack HTTP/2 MadeYouReset HTTP/2 Rapid Reset HULK attack Known DDoS botnets LOIC attack Mirai and Mirai-variant HTTP attacks Slowloris attack TLS/SSL exhaustion attacks TLS/SSL negotiation attacks WordPress pingback attack

Footnotes

1. Available to Magic Transit customers. ↩ ↩²

Refer to the learning path Prevent DDoS attacks to dive deeper into this subject.