Cloudflare Docs
Ddos-Protection
Cloudflare Docs
DDoS Protection
Search icon (depiction of a magnifying glass)
GitHub icon
Visit DDoS Protection on GitHub
Set theme to dark (⇧+D)

Configure Network-layer DDoS Attack Protection via API

Configure the Cloudflare Network-layer DDoS Attack Protection Managed Ruleset by defining overrides at the account level using the Rulesets API .

Each account has the Network-layer DDoS Attack Protection Managed Ruleset enabled by default. This means that you do not need to deploy the Managed Ruleset to the ddos_l4 phase entry point ruleset explicitly. You only have to create a rule in the phase entry point to deploy the Managed Ruleset if you need to configure overrides.

Configure an override for the Network-layer DDoS Attack Protection Managed Ruleset

You can define overrides at the ruleset, tag, and rule level for all Managed Rulesets.

When configuring the Network-layer DDoS Attack Protection Managed Ruleset, use overrides to define a different action or sensitivity from the default values. For more information on these rule parameters and the allowed values, refer to Managed Ruleset parameters .

Example

The following PUT example creates a new phase ruleset (or updates the existing one) for the ddos_l4 phase at the account level. The request includes several overrides to adjust the default behavior of the Network-layer DDoS Attack Protection Managed Ruleset. These overrides are the following:

  • All rules of the Network-layer DDoS Attack Protection Managed Ruleset will have their sensitivity set to medium.
  • All rules tagged with the tag {tag-name} will have their sensitivity set to low.
  • The rule with ID {rule-id} will use the block action.

The overrides apply to all packets matching the rule expression: ip.dst in { 1.1.1.0/24 }.

curl -X PUT \
-H "X-Auth-Email: user@cloudflare.com" \
-H "X-Auth-Key: REDACTED"
"https://api.cloudflare.com/client/v4/accounts/{account-id}/rulesets/phases/ddos_l4/entrypoint" \
-d '{
  "description": "Define overrides for the Network-layer DDoS Attack Protection Managed Ruleset",
  "rules": [
    {
      "action": "execute",
      "expression": "ip.dst in { 1.1.1.0/24 }",
      "action_parameters": {
        "id": "{network-managed-ruleset-id}",
        "overrides": {
          "sensitivity_level": "medium",
          "categories": [
            {
              "category": "{tag-name}",
              "sensitivity_level": "low"
            }
          ],
          "rules": [
            {
              "id": "{rule-id}",
              "action": "block"
            }
          ]
        }
      }
    }
  ]
}'

The response returns the created (or updated) phase entry point ruleset.

{
  "result": {
    "id": "{root-ruleset-id}",
    "name": "default",
    "description": "Define overrides for the Network-layer DDoS Attack Protection Managed Ruleset",
    "kind": "root",
    "version": "1",
    "rules": [
      {
        "id": "{entrypoint-rule-id}",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "{network-managed-ruleset-id}",
          "version": "latest",
          "overrides": {
            "categories": [
              {
                "category": "{tag-name}",
                "sensitivity_level": "low"
              }
            ],
            "rules": [
              {
                "id": "{rule-id}",
                "action": "block"
              }
            ],
            "sensitivity_level": "medium"
          }
        },
        "expression": "ip.dst in { 1.1.1.0/24 }",
        "last_updated": "2021-08-16T04:14:47.977741Z",
        "ref": "{overridden-rule-ref}",
        "enabled": true
      }
    ],
    "last_updated": "2021-08-16T04:14:47.977741Z",
    "phase": "ddos_l4"
  }
}

For more information on defining overrides for Managed Rulesets using the Rulesets API, refer to Override a Managed Ruleset .