General settings
The Advanced DDoS Protection system includes Advanced TCP Protection and Advanced DNS Protection. Both systems are configured using the general settings, but also comprise of their own dedicated settings.
Advanced DDoS Protection systems is available to Magic Transit customers.
Protection for simpler TCP or DNS-based DDoS attacks is included as part of the Network-layer DDoS Attack Protection managed ruleset.
General settings enable and control the use of the Advanced TCP Protection and the Advanced DNS Protection systems, and are composed of thresholds, prefixes, rules, and enablement.
Thresholds are based on your network's unique traffic and are configured by Cloudflare. The sensitivity levels manipulate the thresholds.
When you get access to Advanced DDoS Protection systems, you are automatically provisioned with default settings in monitoring mode.
Thresholds are based on your network's individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the High, Medium, and Low sensitivities will be for your specific case.
If needed, you can change the sensitivity levels that will manipulate the thresholds for Advanced TCP Protection and Advanced DNS Protection from the default settings.
Once thresholds are configured, the Advanced DDoS Protection systems have been initialized and enabled in monitoring mode.
Automatic thresholds for Cloudflare's Advanced DDoS Protection system optimizes the detection and mitigation of DDoS attacks by automatically calculating appropriate traffic thresholds for each system for each customer account. This system applies to Advanced TCP Protection (specifically SYN Flood Protection and Out-of-State TCP Flood Protection) and Advanced DNS Protection.
Make sure that you have properly onboarded to the Advanced DDoS Protection system to benefit from automatic thresholds.
The automatic threshold system calculates thresholds every 10 minutes for both new and existing Magic Transit accounts, provided they meet the requirements outlined in the process below.
- The
flowtrackdaccount was created within the past 7 to 10 days. - The account has at least one configured global threshold (rate and burst). This can be a threshold that was automatically provisioned by the system or manually provisioned by Cloudflare.
These checks are performed independently for SYN Flood Protection, Out-of-State TCP Flood Protection, and Advanced DNS Protection. The criteria does not require the presence of any rules to be configured. Accounts initially provisioned by the automatic system will have default thresholds. Otherwise, thresholds may be unconfigured if they are not set by Cloudflare.
After seven days, the system calculates a rate and burst threshold for each of the protection components. The burst threshold is calculated as five times the rate threshold.
Thresholds are applied globally per account and there is no minimum packets-per-second (pps) requirement for threshold calculation.
Thresholds are derived using the 95th percentile (P95) of observed traffic over the preceding seven days:
- SYN Flood Protection: Based on SYN and SYN-ACK traffic.
- Out-of-State TCP Flood Protection: Based on all other TCP flag traffic.
- Advanced DNS Protection: Based on DNS over UDP traffic.
While the calculation typically occurs automatically after seven days, Cloudflare can force an earlier calculation if you want to enable the system in protective mode in advance.
The automatic threshold calculation system does not differentiate between legitimate and attack traffic. If you are onboarded or experience attacks during the seven day observation period, the calculated thresholds may be inaccurate, depending on the attack's size, duration, and frequency relative to legitimate traffic. In such cases, Cloudflare will likely need to trigger a recalculation. Future improvements will allow you to run a recalculation without the assistance of your Cloudflare account team.
You should enable the automatically provisioned rules. Initially, these rules will have default values and operate in Monitor mode. After seven days, once thresholds are calculated, you can use the Network Analytics dashboard to observe what packets would have been dropped or allowed, then safely enable the rules in mitigation mode. Depending on what is observed in the Network Analytics dashboard (for example, legitimate traffic is being flagged in Monitor mode), you may want to change the sensitivity level and continue observation before enabling in mitigation mode. Rules and Filters, where supported, can also be scoped to allow for additional granularity.
Automatic thresholds are calculated only once. Cloudflare can manually trigger a recalculation. Adding, approving, removing, delegating, advertising, or withdrawing prefixes after initial onboarding does not automatically re-trigger the calculation. It is recommended to move the relevant systems to Monitor mode before making changes that impact traffic levels and requesting a recalculation from Cloudflare. Future improvements will take these events into consideration.
Automatically calculated thresholds can be overridden. Cloudflare can help manually define thresholds.
If you are actively under attack and diverting traffic to Cloudflare, the automatic threshold calculation is unlikely to be effective as it will incorporate attack traffic. In these scenarios, Cloudflare will still need to manually configure thresholds. If you are not under attack while diverting traffic, Cloudflare can force a threshold calculation with available data. However, less data, such as fewer days or hours of observation, will result in less accurate thresholds.
Customers currently do not have visibility into the calculated thresholds or an indication of whether thresholds have been configured. Future improvements aim to indicate when thresholds have been configured and when they were last updated.
The auto-threshold calculation component currently runs only in PDX. Therefore, this feature is not compatible if you have enabled Data Localization Services (DLS) and are located outside of the US, such as EU CMB. Future improvements will address this limitation.
The prefixes that you have onboarded to and approved by Cloudflare instruct the system on which traffic to route through the system.
Add the prefixes you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously onboarded to Magic Transit or a subset of these prefixes.
You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals.
Optionally, you can add prefixes to the allowlist if your traffic should bypass Advanced DDoS Protection rules.
The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. You can also exclude a subset of an onboarded prefix from Advanced TCP Protection.
Refer to Concepts for more information.
Create a rule for Advanced TCP and Advanced DNS Protection (as needed) to enable mitigation.
You can create a rule for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets.
Optionally, you can create filters for each protection system component (SYN flood protection and out-of-state TCP protection).
A filter modifies Advanced TCP Protection's execution mode — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression.
Enable the Advanced DDoS system and begin routing traffic through it.
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to L3/4 DDoS > Advanced Protection > General settings.
- Under General settings, toggle the feature status On.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark