DDoS protection

Cloudflare DDoS protection automatically detects and mitigates DDoS attacks using the Autonomous Edge. Magic Transit customers get multiple layers of protection, from always-on managed rulesets to advanced systems that you can configure for your specific traffic patterns.

Mitigation layers

DDoS managed rulesets

The network-layer DDoS managed ruleset provides pre-configured rules that detect and mitigate L3/L4 DDoS attacks. The ruleset is always enabled and cannot be turned off. Magic Transit and Spectrum Enterprise customers can customize the ruleset behavior by adjusting the action and sensitivity level for individual rules or groups of rules.

Advanced TCP Protection

Advanced TCP Protection detects and mitigates SYN flood attacks and out-of-state TCP attacks. It uses flowtrackd to learn your normal TCP traffic patterns and identify anomalous flows. You can create rules scoped globally, by region, or by data center, and set each rule to monitoring or mitigation mode.

Advanced DNS Protection

Advanced DNS Protection detects and mitigates DNS-over-UDP DDoS attacks. Like Advanced TCP Protection, it uses flowtrackd to build a traffic profile and identify volumetric DNS anomalies. You can create rules with configurable burst, rate, and profile sensitivity levels.

Programmable Flow Protection

Programmable Flow Protection lets you write custom eBPF programs to inspect UDP payloads at the packet level. It is designed for custom or standardized L7 UDP-based protocols such as gaming, VoIP, financial services, and streaming. Programmable Flow Protection is available as an add-on for Magic Transit customers.

Network Firewall

Cloudflare Network Firewall lets you create custom packet-level firewall rules to filter traffic by protocol, port, IP address, packet length, and other attributes. Network Firewall is included with Magic Transit.

Automatic activation

Note

Advanced TCP and DNS Protection systems are automatically enabled in Monitor mode with the default thresholds for new Magic Transit customers and their authorized prefixes.

Magic Transit customers can also enable the Advanced DDoS systems when the prefixes are ready, change the sensitivity level, or adjust the thresholds by contacting their account team.

After the initial monitoring period, review your traffic in Network Analytics to observe what would have been mitigated, then switch your rules from monitoring to mitigation mode. For more information, refer to Advanced DDoS Systems general settings.

Execution order

When traffic enters the Cloudflare network, it passes through mitigation systems in the following order:

1. DDoS managed rulesets
2. Advanced TCP Protection
3. Advanced DNS Protection
4. Cloudflare Network Firewall

Programmable Flow Protection operates within the Advanced DDoS Protection layer for UDP-based protocols.

Related resources

• Verify your DDoS protection: Confirm that your DDoS mitigation layers are active and correctly configured.
• DDoS Protection overview: Learn about Cloudflare DDoS Protection across all products.
• Best practices for DDoS protection: Review proactive defense recommendations, including steps specific to Magic Transit.