Let us learn more about Cloudflare API DDoS protection and how to set it up. At Bobcares our Server management support services can give you a complete note on the process.

Configure HTTP DDoS Attack Protection via API

Configure the HTTP DDoS Attack Protection Managed Ruleset by using the Rulesets API to define overrides. The HTTP DDoS Attack Protection Managed Ruleset is active by default in each zone.

This implies we don’t have to explicitly deploy the Managed Ruleset to the ddos_l7 phase ruleset. To deploy the Managed Ruleset, we simply need to set up a rule in the phase ruleset . We can do this if we need to setup overrides.

​​Setup an override for the HTTP DDoS Attack Protection Managed Ruleset

Set up the HTTP DDoS Attack Protection Managed Ruleset using overrides. Overrides allow us to declare an action or sensitivity level that differs from the default values. We can define the overrides can by a ruleset, tag, or rule scope. Tag and rule setup will take importance over ruleset setup.

We can define overrides at the zone and account levels. Account-level overrides enable us to use a single rule to apply the same override to several zones in the account.

For example, we can use an account level override to reduce the sensitivity of a certain ruleset rule or to exclude an IP List from various zones. However, if a zone has HTTP DDoS Attack Protection Managed Ruleset overrides, the account level overrides will not be set to the zone.

Important

• The Managed HTTP DDoS Attack Protection Ruleset will always be activate. We can’t disable its rules by overriding them with “enabled”: false.
• Account-level overrides for the HTTP DDoS Attack Protection Managed Ruleset are currently only available through the API.
• The API allows us to define a custom rule expression to limit the scope of a set up (or override) to a subset of incoming requests. Currently, the dashboard only offers customizations that apply to all incoming requests for a zone.
• Using the API to set up a custom expression (or build several rules), the Cloudflare dashboard might provide information that are not complete. As a result, in this scenario, we should continue to use the API rather than setting up the Managed Ruleset in the dashboard.

Create Multiple Rules

Only Enterprise plan clients with the Advanced DDoS Protection subscription can set several rules.

In the ddos_l7 phase entry point ruleset, establish various rules to define distinct overrides for different sets of incoming requests. To modify the HTTP DDoS protection, set each rule expression based on the traffic.

Rules in the phase entry point ruleset, where overrides can be defined, are assessed in sequence until a match for a rule expression and sensitivity level is found.

As a result, the sequence of the rules in the entry point ruleset is critical. A rule with a higher sensitivity level must come after a rule with a lower sensitivity level. Otherwise, it will never be considered.

​​​​ Zone-level Setup Example: API calls

The following example for the PUT generates (or modifies) a new phase ruleset for the ddos_l7 phase at the zone level. The request includes many changes to modify the HTTP DDoS Attack Protection Managed Ruleset’s default behavior. The following are the overrides:

•  All rules in the Managed Ruleset will employ the vmanaged_challenge action and have a sensitivity level of medium.
• All rules tagged with will have a sensitivity level of. The sensitivity level for all rules labeled with TAG_NAME will be of the low level.
• The block action will be used by the rule with the ID MANAGED_RULESET_RULE_ID.

The created (or changed) phase entry point ruleset will open up in the response. Response example.

​​​​​​ Account-level Setup Example

The following PUT example establishes (or modifies) a new phase ruleset for the ddos_l7 phase at the account level. The following setup provides a single rule override for requests coming from IP addresses in the allowlisted_ips IP List:

The rule with ID MANAGED_RULESET_RULE_ID will have an off (Essentially Off) sensitivity level and will conduct a log action in the HTTP DDoS Attack Protection Managed Ruleset (with ID MANAGED_RULESET_ID).

Custom rule expressions (other than "true") necessitate an Enterprise plan combined with the Advanced DDoS Protection subscription.

The response returns the created (or updated) phase entry point ruleset. Cloudflare offers three DDoS protection solutions designed to protect anything connected to the Internet.

​​Cloudflare DDoS Services:

• Website DDoS Protection – Web Services (L7): unmetered and free in all Cloudflare website application service plans.
• Application DDoS Protection – Spectrum (L4): reverse proxy, pay as you go service for all TCP/UDP applications (gaming, VOIP, etc.).
• Network DDoS Protection – Magic Transit (L3): for on-premise, cloud, & hybrid networks. Combine DDoS protection, traffic acceleration, & more.

[Need assistance with similar queries? We are here to help]

Conclusion

To sum up we have gone through all of the setups to manage the Cloudflare API DDoS protection. With the support of our Server management support services, we have now gone through the topic of DDoS protection in detail.