DDoS Protection — L3/L7 Mitigation
Cloudflare's DDoS protection automatically detects and mitigates volumetric and application-layer attacks at the edge, absorbing attack traffic across its global network before it reaches your origin.
What You Will Learn
You will learn how Cloudflare differentiates between L3 (network) and L7 (application) DDoS attacks, how to configure mitigation settings, and how to use the analytics dashboard to monitor attack events.
Why It Matters
DDoS attacks cost businesses an average of $120,000 per incident. Cloudflare's unmetered DDoS protection — available on all plans — absorbs attacks of any size without requiring manual scaling or expensive mitigation appliances.
Real-World Use Case
A gaming server behind Cloudflare receives a 500 Gbps UDP amplification attack. Cloudflare's L3 DDoS protection detects the abnormal packet rate at the edge, drops the malicious traffic within seconds, and only passes clean traffic to the origin. The game server remains online throughout the attack.
How DDoS Protection Works
Cloudflare analyses traffic across all 330+ data centres. When it detects a traffic anomaly — sudden spike in packets per second, unusual protocol mix, or application-layer request flood — it activates mitigation rules automatically.
flowchart LR
A[Internet Traffic] --> B{Cloudflare Edge}
B --> C[DDoS Detection Engine]
C -->|Normal| D[Pass to Origin]
C -->|L3/L4 Attack| E[Packet Filtering]
C -->|L7 Attack| F[Rate Limiting + WAF]
E --> D
F --> D
D --> G[Origin Server]
L3/L4 Mitigation Settings
Layer 3 and 4 attacks target network infrastructure with SYN floods, UDP amplification, and ICMP floods. Cloudflare handles these automatically.
Configure sensitivity in Security > DDoS > Layer 3/4:
| Setting | Description |
|---|---|
| Mitigation Mode | Automatic or off |
| Sensitivity Level | Low, Medium, High |
| Packet Threshold | Actions trigger above this rate |
| Action | Drop, Rate-limit, or Challenge |
L7 Mitigation Configuration
Layer 7 attacks target the application with HTTP floods and slow loris attacks. Configure in Security > DDoS > Layer 7.
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/ddos/l7_config" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"visibility": "visible",
"mode": "automatic"
}'
Expected output:
{
"result": {
"visibility": "visible",
"mode": "automatic"
},
"success": true
}
Python: Monitor DDoS Attack Events
import os
import requests
ZONE_ID = os.environ["CLOUDFLARE_ZONE_ID"]
TOKEN = os.environ["CLOUDFLARE_API_TOKEN"]
URL = f"https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/ddos/events"
headers = {"Authorization": f"Bearer {TOKEN}", "Content-Type": "application/json"}
params = {"limit": 10, "order": "desc"}
resp = requests.get(URL, headers=headers, params=params)
events = resp.json()["result"]
for event in events:
print(f"Type: {event['attack_type']}")
print(f"Start: {event['start_time']}")
print(f"Peak rate: {event['peak_rate']} pps")
print(f"Action: {event['action_taken']}")
print("---")
Expected output:
Type: HTTP Flood
Start: 2026-06-22T14:30:00Z
Peak rate: 1250000 pps
Action: challenge
---
Type: SYN Flood
Start: 2026-06-21T08:15:00Z
Peak rate: 890000 pps
Action: drop
Go: Log Attack Events to File
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"time"
)
func main() {
zoneID := os.Getenv("CLOUDFLARE_ZONE_ID")
token := os.Getenv("CLOUDFLARE_API_TOKEN")
url := fmt.Sprintf("https://api.cloudflare.com/client/v4/zones/%s/ddos/events", zoneID)
req, _ := http.NewRequest("GET", url, nil)
req.Header.Set("Authorization", "Bearer "+token)
client := &http.Client{Timeout: 10 * time.Second}
resp, err := client.Do(req)
if err != nil {
fmt.Println("Error:", err)
os.Exit(1)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
var data map[string]interface{}
json.Unmarshal(body, &data)
logEntry := fmt.Sprintf("[%s] DDoS events: %d\n",
time.Now().Format(time.RFC3339),
len(data["result"].([]interface{})),
)
f, _ := os.OpenFile("ddos_events.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
defer f.Close()
f.WriteString(logEntry)
fmt.Print(logEntry)
}
Expected output:
[2026-06-23T10:00:00Z] DDoS events: 3
Rate Limiting Rules for L7 Protection
Create Rate Limiting rules to complement automatic DDoS protection:
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/rate_limits" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"match": {"request": {"url": "example.com/login"}},
"threshold": 100,
"period": 60,
"action": "block",
"description": "Rate limit login endpoint"
}'
Common Mistakes
| Mistake | Consequence |
|---|---|
| Disabling automatic mitigation | Attacks reach origin directly |
| Setting sensitivity too high | Legitimate traffic gets challenged |
| Not monitoring attack events | No visibility into attack patterns |
| Ignoring Rate Limiting | L7 floods bypass auto-detection |
| No IP whitelist for monitoring | Your own tools get blocked during attacks |
Practice Questions
- What is the difference between L3 and L7 DDoS attacks?
- How does Cloudflare's automatic DDoS protection decide when to start mitigation?
- Why should you keep Rate Limiting enabled alongside automatic DDoS protection?
Challenge
Create a Go or Python script that polls the Cloudflare DDoS events API every 5 minutes and sends a Webhook notification to Slack when a new attack is detected with a peak rate above 100,000 pps.
Real-World Task
Your e-commerce site is hit by a Layer 7 HTTP flood targeting the checkout endpoint. Configure automatic DDoS mitigation, add a Rate Limiting rule for the checkout URL, and set up monitoring alerts. Verify by reviewing the attack logs in the Cloudflare dashboard.
FAQ
{{< faq "Does Cloudflare protect against DNS amplification attacks?">}} Yes. Cloudflare's DNS infrastructure is designed to absorb large DNS amplification attacks. For authoritative DNS customers, Cloudflare proxies DNS traffic and automatically drops malformed and amplification-style queries at the edge. Combined with Cloudflare as your DNS provider, your origin DNS servers never see the attack traffic. {{< /faq >}}
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro