Skip to content

DDoS Protection — L3/L7 Mitigation

DodaTech 5 min read

Cloudflare's DDoS protection automatically detects and mitigates volumetric and application-layer attacks at the edge, absorbing attack traffic across its global network before it reaches your origin.

What You Will Learn

You will learn how Cloudflare differentiates between L3 (network) and L7 (application) DDoS attacks, how to configure mitigation settings, and how to use the analytics dashboard to monitor attack events.

Why It Matters

DDoS attacks cost businesses an average of $120,000 per incident. Cloudflare's unmetered DDoS protection — available on all plans — absorbs attacks of any size without requiring manual scaling or expensive mitigation appliances.

Real-World Use Case

A gaming server behind Cloudflare receives a 500 Gbps UDP amplification attack. Cloudflare's L3 DDoS protection detects the abnormal packet rate at the edge, drops the malicious traffic within seconds, and only passes clean traffic to the origin. The game server remains online throughout the attack.

How DDoS Protection Works

Cloudflare analyses traffic across all 330+ data centres. When it detects a traffic anomaly — sudden spike in packets per second, unusual protocol mix, or application-layer request flood — it activates mitigation rules automatically.

flowchart LR
  A[Internet Traffic] --> B{Cloudflare Edge}
  B --> C[DDoS Detection Engine]
  C -->|Normal| D[Pass to Origin]
  C -->|L3/L4 Attack| E[Packet Filtering]
  C -->|L7 Attack| F[Rate Limiting + WAF]
  E --> D
  F --> D
  D --> G[Origin Server]

L3/L4 Mitigation Settings

Layer 3 and 4 attacks target network infrastructure with SYN floods, UDP amplification, and ICMP floods. Cloudflare handles these automatically.

Configure sensitivity in Security > DDoS > Layer 3/4:

Setting Description
Mitigation Mode Automatic or off
Sensitivity Level Low, Medium, High
Packet Threshold Actions trigger above this rate
Action Drop, Rate-limit, or Challenge

L7 Mitigation Configuration

Layer 7 attacks target the application with HTTP floods and slow loris attacks. Configure in Security > DDoS > Layer 7.

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/ddos/l7_config" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "visibility": "visible",
    "mode": "automatic"
  }'

Expected output:

{
  "result": {
    "visibility": "visible",
    "mode": "automatic"
  },
  "success": true
}

Python: Monitor DDoS Attack Events

import os
import requests

ZONE_ID = os.environ["CLOUDFLARE_ZONE_ID"]
TOKEN = os.environ["CLOUDFLARE_API_TOKEN"]
URL = f"https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/ddos/events"

headers = {"Authorization": f"Bearer {TOKEN}", "Content-Type": "application/json"}
params = {"limit": 10, "order": "desc"}

resp = requests.get(URL, headers=headers, params=params)
events = resp.json()["result"]

for event in events:
    print(f"Type: {event['attack_type']}")
    print(f"Start: {event['start_time']}")
    print(f"Peak rate: {event['peak_rate']} pps")
    print(f"Action: {event['action_taken']}")
    print("---")

Expected output:

Type: HTTP Flood
Start: 2026-06-22T14:30:00Z
Peak rate: 1250000 pps
Action: challenge
---
Type: SYN Flood
Start: 2026-06-21T08:15:00Z
Peak rate: 890000 pps
Action: drop

Go: Log Attack Events to File

package main

import (
  "encoding/json"
  "fmt"
  "io/ioutil"
  "net/http"
  "os"
  "time"
)

func main() {
  zoneID := os.Getenv("CLOUDFLARE_ZONE_ID")
  token := os.Getenv("CLOUDFLARE_API_TOKEN")

  url := fmt.Sprintf("https://api.cloudflare.com/client/v4/zones/%s/ddos/events", zoneID)
  req, _ := http.NewRequest("GET", url, nil)
  req.Header.Set("Authorization", "Bearer "+token)

  client := &http.Client{Timeout: 10 * time.Second}
  resp, err := client.Do(req)
  if err != nil {
    fmt.Println("Error:", err)
    os.Exit(1)
  }
  defer resp.Body.Close()

  body, _ := ioutil.ReadAll(resp.Body)
  var data map[string]interface{}
  json.Unmarshal(body, &data)

  logEntry := fmt.Sprintf("[%s] DDoS events: %d\n",
    time.Now().Format(time.RFC3339),
    len(data["result"].([]interface{})),
  )

  f, _ := os.OpenFile("ddos_events.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
  defer f.Close()
  f.WriteString(logEntry)
  fmt.Print(logEntry)
}

Expected output:

[2026-06-23T10:00:00Z] DDoS events: 3

Rate Limiting Rules for L7 Protection

Create Rate Limiting rules to complement automatic DDoS protection:

curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/rate_limits" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "match": {"request": {"url": "example.com/login"}},
    "threshold": 100,
    "period": 60,
    "action": "block",
    "description": "Rate limit login endpoint"
  }'

Common Mistakes

Mistake Consequence
Disabling automatic mitigation Attacks reach origin directly
Setting sensitivity too high Legitimate traffic gets challenged
Not monitoring attack events No visibility into attack patterns
Ignoring Rate Limiting L7 floods bypass auto-detection
No IP whitelist for monitoring Your own tools get blocked during attacks

Practice Questions

  1. What is the difference between L3 and L7 DDoS attacks?
  2. How does Cloudflare's automatic DDoS protection decide when to start mitigation?
  3. Why should you keep Rate Limiting enabled alongside automatic DDoS protection?

Challenge

Create a Go or Python script that polls the Cloudflare DDoS events API every 5 minutes and sends a Webhook notification to Slack when a new attack is detected with a peak rate above 100,000 pps.

Real-World Task

Your e-commerce site is hit by a Layer 7 HTTP flood targeting the checkout endpoint. Configure automatic DDoS mitigation, add a Rate Limiting rule for the checkout URL, and set up monitoring alerts. Verify by reviewing the attack logs in the Cloudflare dashboard.

FAQ

Is DDoS protection included on the free plan?

Yes. Cloudflare provides unmetered L3, L4, and L7 DDoS protection on all plans including Free. There are no bandwidth caps or usage limits for DDoS mitigation. Enterprise plans add dedicated mitigation capacity and priority routing.

{{< faq "Does Cloudflare protect against DNS amplification attacks?">}} Yes. Cloudflare's DNS infrastructure is designed to absorb large DNS amplification attacks. For authoritative DNS customers, Cloudflare proxies DNS traffic and automatically drops malformed and amplification-style queries at the edge. Combined with Cloudflare as your DNS provider, your origin DNS servers never see the attack traffic. {{< /faq >}}

How do I know if I am under a DDoS attack?

The Cloudflare dashboard under Security > Events shows ongoing attack events with type, duration, peak rate, and action taken. You can also configure email alerts under Notifications to receive real-time DDoS attack warnings. Attack events are logged even when mitigation is automatic.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro