DDoS attack coverage
The DDoS Attack Protection Managed Rulesets provide protection against a variety of DDoS attacks across L3/4 (layers 3/4) and L7 of the OSI model. Cloudflare constantly updates these Managed Rulesets to improve the attack coverage, increase the mitigation consistency, cover new and emerging threats, and ensure cost-efficient mitigations.
As a general guideline, Cloudflare customers are protected up to the layer on which their service operates. For example, a WAF customer is protected against DDoS attacks on Layer 7 (HTTP/HTTPS) all the way down including L3/4 attacks.
The following table includes a sample of covered attack vectors:
| OSI Layer | Ruleset | Example of covered DDoS attack vectors |
|---|---|---|
| L3/4 | Network-layer DDoS Attack Protection | UDP flood attack SYN floods SYN-ACK reflection attack Fully randomized ACK floods Mirai and Mirai-variant L3/4 attacks ICMP flood attack SNMP flood attack QUIC flood attack DNS amplification attack Out of state TCP attacks Protocol violation attacks DNS amplification attack SIP attacks |
| L7 (HTTP/HTTPS) | HTTP DDoS Attack Protection | HTTP flood attack WordPress pingback attack HULK attack LOIC attack Mirai and Mirai-variant HTTP attacks |