Cloudflare Docs
Ddos-Protection
Cloudflare Docs
DDoS Protection
Search icon (depiction of a magnifying glass)
GitHub icon
Visit DDoS Protection on GitHub
Set theme to dark (⇧+D)

Handle a false positive

A false positive is an incorrect identification. In the case of DDoS protection, there is a false positive when legitimate traffic is mistakenly classified as attack traffic. This can occur when legacy applications, Internet services, or faulty client applications generate legitimate traffic that appears suspicious, has odd traffic patterns, deviates from best practices, or violates protocols.

In these cases, Cloudflare’s DDoS Protection systems may flag that traffic as malicious and apply mitigation actions. If the traffic is in fact legitimate and not part of an attack, the mitigation actions can cause service disruptions and outages to your Internet properties.

To remedy a false positive:

  1. Log in to the Cloudflare dashboard and select your account.

  2. Navigate to the analytics dashboard and apply filters to the displayed data.

    For WAF/CDN customers

    1. Select the zone that is experiencing DDoS attack false positives.

    1. Navigate to Security > Overview.

    2. Click Add filter and filter by Service equals HTTP DDoS.

    For Magic Transit and Spectrum customers

    1. In the account home page, open Network Analytics.

    2. Identify the legitimate traffic that is causing the false positives. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.

  3. Scroll down to the Activity log.

  4. Click Edit columns and enable Rule ID*.

  5. Copy the rule ID from one of the DDoS log entries.

  6. Navigate to Security > DDoS and click Configure next to the Managed Ruleset containing the rule you will adjust.

  7. Click Browse rules and paste the Rule ID in the search field.

  8. Decrease the rule’s Sensitivity Level to Essentially Off or change the action of the rule to Log.

  9. Click Next and then Save.

* Not available in Network Analytics dashboard yet.

Once saved, the rule takes effect within one or two minutes. The rule adjustment should provide immediate remedy, which you can view in the analytics dashboard .

Updating the adjusted rules at a later date

Later, you can change the sensitivity level of the rule causing the false positives to avoid future issues, and change the rule action back to its default value.