Cloudflare Docs
DDoS Protection
Visit DDoS Protection on GitHub
Set theme to dark (⇧+D)

Concepts

​​ Prefixes

Advanced TCP Protection protects the IP prefixes you select from sophisticated TCP attacks. A prefix can be an IP address or an IP range in CIDR format. You must add prefixes to Advanced TCP Protection so that Cloudflare can analyze incoming packets and offer protection against sophisticated TCP DDoS attacks.

Prefixes added to Advanced TCP Protection must be one of the following:

You cannot add a prefix (or a subset of a prefix) that you have not onboarded to Magic Transit or whose status is still Unapproved. Contact your account team to get help with prefix approvals.

​​ Allowlist

The Advanced TCP Protection allowlist is a list of prefixes that will bypass all configured Advanced TCP Protection rules.

For example, you could add prefixes used only by partners of your company to the allowlist so that they are exempt from packet inspection and mitigation actions performed by Advanced TCP Protection.

​​ Rule

A rule allows you to configure Advanced TCP Protection for a given scope, defining several settings: execution mode, burst sensitivity, and rate sensitivity.

Each advanced TCP protection type (SYN flood protection and out-of-state TCP protection) has its own list of rules.

​​ Filter

A filter allows you to modify Advanced TCP Protection’s execution mode — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression. The expression can reference source and destination IP addresses and ports.

Each type of advanced TCP protection (SYN flood protection and out-of-state TCP protection) has its own list of filters.


​​ Determining the execution mode

When you have both rules and filters configured, the execution mode is determined according to the following:

  1. If there is a match for one of the configured filters, use the filter’s execution mode. The filter evaluation order is based on their mode, in the following order:
    1. Filter with enabled mode
    2. Filter with monitoring mode
    3. Filter with disabled mode
  2. If no filter matched, use the execution mode determined by existing rules.
  3. If no rules match, disable Advanced TCP Protection.