sFlow DDoS attack rule
An sFlow DDoS attack rule (beta) alerts you when a DDoS attack is detected in your network traffic. Network Flow (formerly Magic Network Monitoring) uses the same DDoS detection rules that protect Cloudflare's global network to identify these attacks.
To use sFlow DDoS attack rules, you must send sFlow data to Cloudflare. You can only configure these rules through the Network Flow Rules API — they are not available in the dashboard.
To send sFlow data to Cloudflare, your router must support sFlow exports. Refer to Supported routers to verify compatibility, and Configure sFlow for setup instructions.
| Field | Description |
|---|---|
| Rule name | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (_), dash (-), period (.), and tilde (~). Maximum of 256 characters. |
| Rule type | advanced_ddos |
| Prefix Match | The field prefix_match determines how IP matches are handled. Subnet (recommended): Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit. Exact: Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit. Supernet: Automatically advertise if the attacked IPs are a supernet of a public IP prefix that can be advertised by Magic Transit. |
| Auto-advertisement | If you are a Magic Transit On Demand customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more, refer to Auto-advertisement. |
| Rule IP prefix | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, refer to Rule IP prefixes. |
Refer to the Rules API documentation to review an example API configuration call using CURL and the expected output for a successful response.
You can tune the thresholds of your sFlow DDoS alerts in the dashboard and via the Cloudflare API by following the Network-layer DDoS Attack Protection managed ruleset guide.