Configure Network-layer DDoS Attack Protection via API

Configure the Cloudflare Network-layer DDoS Attack Protection managed ruleset by defining overrides at the account level using the Rulesets API.

Each account has the Network-layer DDoS Attack Protection managed ruleset enabled by default. This means that you do not need to deploy the managed ruleset to the ddos_l4 phase entry point ruleset explicitly. You only have to create a rule in the phase entry point to deploy the managed ruleset if you need to configure overrides.

Configure an override for the Network-layer DDoS Attack Protection managed ruleset

You can define overrides at the ruleset, tag, and rule level for all managed rulesets.

When configuring the Network-layer DDoS Attack Protection managed ruleset, use overrides to define a different action or sensitivity from the default values. For more information on these rule parameters and the allowed values, refer to Managed ruleset parameters.

Example

The following PUT example creates a new phase ruleset (or updates the existing one) for the ddos_l4 phase at the account level. The request includes several overrides to adjust the default behavior of the Network-layer DDoS Attack Protection managed ruleset. These overrides are the following:

All rules of the Network-layer DDoS Attack Protection managed ruleset will have their sensitivity set to medium.
All rules tagged with <TAG_NAME> will have their sensitivity set to low.
The rule with ID <MANAGED_RULESET_RULE_ID> will use the block action.

The overrides apply to all packets matching the rule expression: ip.dst in { 1.1.1.0/24 }.

Requestcurl --request PUT \https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/phases/ddos_l4/entrypoint \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{  "description": "Define overrides for the Network-layer DDoS Attack Protection managed ruleset",  "rules": [    {      "action": "execute",      "expression": "ip.dst in { 1.1.1.0/24 }",      "action_parameters": {        "id": "<MANAGED_RULESET_ID>",        "overrides": {          "sensitivity_level": "medium",          "categories": [            {              "category": "<TAG_NAME>",              "sensitivity_level": "low"            }          ],          "rules": [            {              "id": "<MANAGED_RULESET_RULE_ID>",              "action": "block"            }          ]        }      }    }  ]}'

The response returns the created (or updated) phase entry point ruleset.

Response


{  "result": {    "id": "<PHASE_ENTRY_POINT_RULESET_ID>",    "name": "default",    "description": "Define overrides for the Network-layer DDoS Attack Protection managed ruleset",    "kind": "root",    "version": "1",    "rules": [      {        "id": "<RULE_ID>",        "version": "1",        "action": "execute",        "action_parameters": {          "id": "<MANAGED_RULESET_ID>",          "version": "latest",          "overrides": {            "categories": [              {                "category": "<TAG_NAME>",                "sensitivity_level": "low"              }            ],            "rules": [              {                "id": "<MANAGED_RULESET_RULE_ID>",                "action": "block"              }            ],            "sensitivity_level": "medium"          }        },        "expression": "ip.dst in { 1.1.1.0/24 }",        "last_updated": "2021-08-16T04:14:47.977741Z",        "ref": "<RULE_REF>",        "enabled": true      }    ],    "last_updated": "2021-08-16T04:14:47.977741Z",    "phase": "ddos_l4"  }
}

For more information on defining overrides for managed rulesets using the Rulesets API, refer to Override a managed ruleset.

Configure Network-layer DDoS Attack Protection via API

​​ Configure an override for the Network-layer DDoS Attack Protection managed ruleset

​​ Example

Configure an override for the Network-layer DDoS Attack Protection managed ruleset

Example