L3/L4 and HTTP DDoS Protection
By the end of this lesson you will understand the difference between L3/L4 and HTTP DDoS attacks, how Cloudflare detects and mitigates them, and how to configure DDoS protection settings.
What Is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack floods your server with so much traffic that it can't serve legitimate users. The attack traffic comes from many sources (a "botnet"), making it impossible to block by IP alone.
flowchart TD
subgraph Botnet["Botnet (Thousands of Compromised Devices)"]
B1["Bot 1"]
B2["Bot 2"]
B3["Bot 3"]
B4["Bot ..."]
B5["Bot N"]
end
B1 --> TARGET
B2 --> TARGET
B3 --> TARGET
B4 --> TARGET
B5 --> TARGET
TARGET["Your Server\n(Overwhelmed)"]
style TARGET fill:#dc2626,color:#fff,stroke:#b91c1c
Attack Types by OSI Layer
| Layer | Type | Protocol | Example Attack | Cloudflare Coverage |
|---|---|---|---|---|
| L3 (Network) | Volumetric | IP, ICMP | ICMP flood, IP fragmentation | ✅ Free |
| L4 (Transport) | Protocol abuse | TCP, UDP | SYN flood, UDP flood, ACK flood | ✅ Free |
| L7 (Application) | Application logic abuse | HTTP/HTTPS | HTTP flood, slowloris, request bombing | ✅ Free |
L3/L4 DDoS Protection
Layer 3/4 attacks target the network and transport layers. They try to overwhelm your infrastructure with raw traffic volume — consuming bandwidth, exhausting connection tables, or abusing protocol mechanisms.
Common L3/L4 Attacks
| Attack | How It Works | Mitigation |
|---|---|---|
| SYN Flood | Sends millions of TCP SYN packets without completing the handshake, exhausting server connection tables | Cloudflare uses SYN cookies — the origin never sees incomplete connections |
| UDP Flood | Floods random ports with UDP packets, forcing the server to reply with ICMP "port unreachable" | Cloudflare drops non-legitimate UDP at the edge |
| ICMP Flood | Overwhelms the server with ICMP echo requests (ping flood) | Filtered at Cloudflare's edge — no ICMP reaches origin |
| DNS Amplification | Abuses open DNS resolvers to amplify traffic toward the victim | Cloudflare absorbs the amplified traffic |
| NTP Amplification | Exploits NTP servers to send large responses to the victim's IP | Dropped at Cloudflare's network edge |
How Cloudflare Mitigates L3/L4 Attacks
flowchart TD
TRAFFIC["Incoming Traffic\n(Clean + Attack)"] --> EDGE["Cloudflare Edge PoP"]
EDGE --> ANALYSIS{"Traffic Analysis\n(Real-time ML)"}
ANALYSIS -->|"Normal patterns"| PASS["✅ Forward to Origin"]
ANALYSIS -->|"Attack patterns"| DETECT["🚨 Attack Detected"]
DETECT --> RULES["Apply Mitigation Rules"]
RULES --> DROP["❌ Drop Attack Traffic"]
RULES --> RATE["Rate Limit"]
style DROP fill:#dc2626,color:#fff,stroke:#b91c1c
style PASS fill:#16a34a,color:#fff,stroke:#15803d
style DETECT fill:#f6821f,color:#fff,stroke:#e5711e
Key detection mechanisms:
- Traffic pattern analysis — Compares current traffic against baseline patterns
- Machine learning models — Trained on Cloudflare's global traffic (handling ~20% of all web traffic)
- Fingerprinting — Identifies known attack tools and botnet signatures
- Automatic mitigation — Attacks are mitigated within seconds without human intervention
HTTP DDoS Protection
Layer 7 (HTTP) attacks are more sophisticated. Instead of flooding with raw packets, they send legitimate-looking HTTP requests that consume your server's CPU, memory, and database resources.
Common HTTP Attacks
| Attack | How It Works |
|---|---|
| HTTP Flood | Sends millions of valid HTTP requests (GET or POST) to exhaust server resources |
| Slowloris | Opens connections and sends data very slowly, tying up server threads |
| Request per URL attack | Targets a specific expensive endpoint (e.g., search, login, API) |
| Cache-busting attack | Adds random query parameters to bypass CDN cache and force origin requests |
HTTP DDoS Managed Rules
Cloudflare applies a set of managed rules that automatically detect and mitigate HTTP DDoS attacks:
| Rule Category | What It Detects |
|---|---|
| HTTP flood | Unusually high request rates from single sources or patterns |
| Cache-busting | Requests with randomized query strings designed to bypass cache |
| Known bot signatures | User-agent strings, headers, and fingerprints of known attack tools |
| Anomalous headers | Missing or malformed HTTP headers typical of bots |
| Geographic anomalies | Sudden traffic spikes from unusual regions |
Configuring DDoS Protection
DDoS Managed Rulesets
Navigate to Security → DDoS in the Cloudflare dashboard. You'll find two managed rulesets:
- HTTP DDoS Attack Protection — For application-layer attacks
- Network-layer DDoS Attack Protection — For L3/L4 attacks
Sensitivity and Action Levels
You can adjust the sensitivity and action for DDoS rules:
| Sensitivity | Description |
|---|---|
| High | Triggers on smaller traffic anomalies — more aggressive, may cause false positives |
| Medium | Default — good balance between protection and false positive avoidance |
| Low | Triggers only on large, obvious attacks — fewer false positives |
| Essentially Off | Minimal detection — only for specific cases where you handle protection elsewhere |
| Action | Description |
|---|---|
| Block | Drop the request entirely |
| Managed Challenge | Present a Cloudflare challenge (transparent if the client passes) |
| Log | Record but don't block (useful for testing) |
Start with the default sensitivity (Medium). Only lower it if you experience false positives, and only raise it if you're under active attack.
During an Attack
If you're actively being attacked:
- Check the dashboard — Security → Events shows real-time attack data
- Enable "I'm Under Attack" mode — Dashboard → Overview → Under Attack Mode
- This presents an interstitial challenge page to all visitors for ~5 seconds
- Filters out most bot traffic
- Review DDoS rules — Increase sensitivity if the default rules aren't catching all attack traffic
- Check origin protection — Ensure your origin only accepts traffic from Cloudflare IPs
"I'm Under Attack" Mode
flowchart LR
USER["Visitor"] --> CF["Cloudflare Edge"]
CF -->|"JavaScript\nChallenge"| CHECK{"Pass\nChallenge?"}
CHECK -->|"✅ Human"| ORIGIN["Your Origin"]
CHECK -->|"❌ Bot"| BLOCK["Blocked"]
style BLOCK fill:#dc2626,color:#fff,stroke:#b91c1c
style ORIGIN fill:#16a34a,color:#fff,stroke:#15803d
"I'm Under Attack" mode adds a 5-second delay for all visitors (including legitimate ones). Use it only during active attacks and disable it when the attack subsides.
Protecting Your Origin IP
DDoS protection only works if traffic flows through Cloudflare. If attackers discover your origin IP, they can attack it directly.
Hardening Checklist
| Action | Description |
|---|---|
| Firewall your origin | Only allow inbound traffic from Cloudflare IP ranges |
| Don't expose origin IP | Never put the origin IP in public DNS records, Git repos, or error pages |
| Use Cloudflare Tunnel | Connect your origin to Cloudflare without exposing any ports to the internet |
| Check historical DNS | Old DNS records might reveal your origin IP — change it if exposed |
| Separate mail server | Don't host email on the same IP as your web server (MX records reveal the IP) |
Common Misconceptions
"DDoS protection only works on paid plans"
Reality: Cloudflare's DDoS protection is free and unmetered on all plans, including the free tier. There are no bandwidth caps or attack size limits.
"Small sites don't get DDoS-ed"
Reality: Automated botnets attack sites of all sizes. Many attacks are random or targeted at shared infrastructure. DDoS protection is always valuable.
"I'm Under Attack mode should be on all the time"
Reality: Under Attack mode adds a challenge delay to every visitor. It should only be enabled during active attacks and disabled afterward.
Key Takeaways
- Cloudflare provides free, unmetered DDoS protection — no size caps, no surge pricing.
- L3/L4 protection mitigates volumetric attacks (SYN flood, UDP flood, amplification).
- HTTP DDoS protection mitigates application-layer attacks (HTTP flood, slowloris).
- Automatic detection — attacks are mitigated within seconds using ML and traffic analysis.
- Protect your origin IP — use Cloudflare Tunnel or firewall rules to prevent direct-to-origin attacks.
- "I'm Under Attack" mode is an emergency tool for active attacks — not for everyday use.
What's Next
- Continue to Application Security to learn about Turnstile, Challenges, and Bot Fight Mode.