DDoS attack coverage
The DDoS Attack Protection Managed Rulesets provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these Managed Rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.
As a general guideline, Cloudflare customers are protected up to the layer on which their service operates. For example, a WAF customer is protected against DDoS attacks on Layer 7 (HTTP/HTTPS) all the way down including L3/4 attacks.
The following table includes a sample of covered attack vectors:
| OSI Layer | Ruleset | Example of covered DDoS attack vectors |
|---|---|---|
| L3/4 | Network-layer DDoS Attack Protection | UDP flood attack SYN floods SYN-ACK reflection attack ACK floods Mirai and Mirai-variant L3/4 attacks ICMP flood attack SNMP flood attack QUIC flood attack DNS amplification attack Out of state TCP attacks Protocol violation attacks DNS amplification attack SIP attacks DNS Garbage Flood DNS NXDOMAIN flood DNS Query flood ESP flood |
| L3/4 | Advanced TCP Protection | Fully randomized and spoofed ACK floods, SYN floods, SYN-ACK reflection attacks, and other sophisticated TCP-based DDoS attacks |
| L7 (HTTP/HTTPS) | HTTP DDoS Attack Protection | HTTP flood attack WordPress pingback attack HULK attack LOIC attack Mirai and Mirai-variant HTTP attacks |