Concepts
Prefixes
Advanced TCP Protection protects the IP prefixes you select from sophisticated TCP attacks. A prefix can be an IP address or an IP range in CIDR format. You must add prefixes to Advanced TCP Protection so that Cloudflare can analyze incoming packets and offer protection against sophisticated TCP DDoS attacks.
Prefixes added to Advanced TCP Protection must be one of the following:
- A prefix onboarded to Magic Transit.
- A subset of a prefix onboarded to Magic Transit.
You cannot add a prefix (or a subset of a prefix) that you have not onboarded to Magic Transit or whose status is still Unapproved. Contact your account team to get help with prefix approvals.
Allowlist
The Advanced TCP Protection allowlist is a list of prefixes that will bypass all configured Advanced TCP Protection rules.
For example, you could add prefixes used only by partners of your company to the allowlist so that they are exempt from packet inspection and mitigation actions performed by Advanced TCP Protection.
Rule
A rule allows you to configure Advanced TCP Protection for a given scope, defining several settings: execution mode, burst sensitivity, and rate sensitivity.
Each advanced TCP protection type (SYN flood protection and out-of-state TCP protection) has its own list of rules.
Filter
A filter allows you to modify Advanced TCP Protection’s execution mode — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. The expression can reference source and destination IP addresses and ports.
Each type of advanced TCP protection (SYN flood protection and out-of-state TCP protection) has its own list of filters.
Determining the execution mode
When you have both rules and filters configured, the execution mode is determined according to the following:
- If there is a match for one of the configured filters, use the filter’s execution mode. The filter evaluation order is based on their mode, in the following order:
- Filter with
enabled
mode - Filter with
monitoring
mode - Filter with
disabled
mode
- Filter with
- If no filter matched, use the execution mode determined by existing rules.
- If no rules match, disable Advanced TCP Protection.