1# DDoS Protection Patterns
2 
3## Allowlist Trusted IPs
4 
5```typescript
6const config = {
7  description: "Allowlist trusted IPs",
8  rules: [{
9    expression: "ip.src in { 203.0.113.0/24 192.0.2.1 }",
10    action: "execute",
11    action_parameters: {
12      id: managedRulesetId,
13      overrides: { sensitivity_level: "eoff" },
14    },
15  }],
16};
17 
18await client.accounts.rulesets.phases.entrypoint.update("ddos_l7", {
19  account_id: accountId,
20  ...config,
21});
22```
23 
24## Route-specific Sensitivity
25 
26```typescript
27const config = {
28  description: "Route-specific protection",
29  rules: [
30    {
31      expression: "not http.request.uri.path matches \"^/api/\"",
32      action: "execute",
33      action_parameters: {
34        id: managedRulesetId,
35        overrides: { sensitivity_level: "default", action: "block" },
36      },
37    },
38    {
39      expression: "http.request.uri.path matches \"^/api/\"",
40      action: "execute",
41      action_parameters: {
42        id: managedRulesetId,
43        overrides: { sensitivity_level: "low", action: "managed_challenge" },
44      },
45    },
46  ],
47};
48```
49 
50## Progressive Enhancement
51 
52```typescript
53enum ProtectionLevel { MONITORING = "monitoring", LOW = "low", MEDIUM = "medium", HIGH = "high" }
54 
55const levelConfig = {
56  [ProtectionLevel.MONITORING]: { action: "log", sensitivity: "eoff" },
57  [ProtectionLevel.LOW]: { action: "managed_challenge", sensitivity: "low" },
58  [ProtectionLevel.MEDIUM]: { action: "managed_challenge", sensitivity: "medium" },
59  [ProtectionLevel.HIGH]: { action: "block", sensitivity: "default" },
60} as const;
61 
62async function setProtectionLevel(zoneId: string, level: ProtectionLevel, rulesetId: string, client: Cloudflare) {
63  const settings = levelConfig[level];
64  return client.zones.rulesets.phases.entrypoint.update("ddos_l7", {
65    zone_id: zoneId,
66    rules: [{
67      expression: "true",
68      action: "execute",
69      action_parameters: { id: rulesetId, overrides: { action: settings.action, sensitivity_level: settings.sensitivity } },
70    }],
71  });
72}
73```
74 
75## Dynamic Response to Attacks
76 
77```typescript
78interface Env { CLOUDFLARE_API_TOKEN: string; ZONE_ID: string; KV: KVNamespace; }
79 
80export default {
81  async fetch(request: Request, env: Env): Promise<Response> {
82    if (request.url.includes("/attack-detected")) {
83      const attackData = await request.json();
84      await env.KV.put(`attack:${Date.now()}`, JSON.stringify(attackData), { expirationTtl: 86400 });
85      const recentAttacks = await getRecentAttacks(env.KV);
86      if (recentAttacks.length > 5) {
87        await setProtectionLevel(env.ZONE_ID, ProtectionLevel.HIGH, managedRulesetId, client);
88        return new Response("Protection increased");
89      }
90    }
91    return new Response("OK");
92  },
93  async scheduled(event: ScheduledEvent, env: Env): Promise<void> {
94    const recentAttacks = await getRecentAttacks(env.KV);
95    if (recentAttacks.length === 0) await setProtectionLevel(env.ZONE_ID, ProtectionLevel.MEDIUM, managedRulesetId, client);
96  },
97};
98```
99 
100## Multi-rule Tiered Protection (Enterprise Advanced)
101 
102```typescript
103const config = {
104  description: "Multi-tier DDoS protection",
105  rules: [
106    {
107      expression: "not ip.src in $known_ips and not cf.bot_management.score gt 30",
108      action: "execute",
109      action_parameters: { id: managedRulesetId, overrides: { sensitivity_level: "default", action: "block" } },
110    },
111    {
112      expression: "cf.bot_management.verified_bot",
113      action: "execute",
114      action_parameters: { id: managedRulesetId, overrides: { sensitivity_level: "medium", action: "managed_challenge" } },
115    },
116    {
117      expression: "ip.src in $trusted_ips",
118      action: "execute",
119      action_parameters: { id: managedRulesetId, overrides: { sensitivity_level: "low" } },
120    },
121  ],
122};
123```
124 
125## Defense in Depth
126 
127Layered security stack: DDoS + WAF + Rate Limiting + Bot Management.
128 
129```typescript
130// Layer 1: DDoS (volumetric attacks)
131await client.zones.rulesets.phases.entrypoint.update("ddos_l7", {
132  zone_id: zoneId,
133  rules: [{ expression: "true", action: "execute", action_parameters: { id: ddosRulesetId, overrides: { sensitivity_level: "medium" } } }],
134});
135 
136// Layer 2: WAF (exploit protection)
137await client.zones.rulesets.phases.entrypoint.update("http_request_firewall_managed", {
138  zone_id: zoneId,
139  rules: [{ expression: "true", action: "execute", action_parameters: { id: wafRulesetId } }],
140});
141 
142// Layer 3: Rate Limiting (abuse prevention)
143await client.zones.rulesets.phases.entrypoint.update("http_ratelimit", {
144  zone_id: zoneId,
145  rules: [{ expression: "http.request.uri.path eq \"/api/login\"", action: "block", ratelimit: { characteristics: ["ip.src"], period: 60, requests_per_period: 5 } }],
146});
147 
148// Layer 4: Bot Management (automation detection)
149await client.zones.rulesets.phases.entrypoint.update("http_request_sbfm", {
150  zone_id: zoneId,
151  rules: [{ expression: "cf.bot_management.score lt 30", action: "managed_challenge" }],
152});
153```
154 
155## Cache Strategy for DDoS Mitigation
156 
157Exclude query strings from cache key to counter randomized query parameter attacks.
158 
159```typescript
160const cacheRule = {
161  expression: "http.request.uri.path matches \"^/api/\"",
162  action: "set_cache_settings",
163  action_parameters: {
164    cache: true,
165    cache_key: { ignore_query_strings_order: true, custom_key: { query_string: { exclude: { all: true } } } },
166  },
167};
168 
169await client.zones.rulesets.phases.entrypoint.update("http_request_cache_settings", { zone_id: zoneId, rules: [cacheRule] });
170```
171 
172**Rationale**: Attackers randomize query strings (`?random=123456`) to bypass cache. Excluding query params ensures cache hits absorb attack traffic.
173 
174See [configuration.md](./configuration.md) for rule structure details.
175